This was inevitable: ‘Thanos’ ransomware weaponizes research tool against Microsoft Windows users

The ransomware shares a name with the villain in "The Avengers."
Thanos ransomware
The ransomware shares a name with the villain in "The Avengers." (Marvel Studios)

Hackers have converted software initially created as a testing tool into a destructive strain of ransomware, weaponizing inside knowledge about digital fortifications at a time when internet extortion only is accelerating.

Scammers on cybercriminal forums are marketing a new strain of ransomware, dubbed “Thanos,” to other attackers aiming to infiltrate computers running Microsoft Windows, according to research published Wednesday by threat intelligence firm Recorded Future. Thanos operates much like similar hacking tools — encrypting victims’ files until they pay a shakedown fee — except that it’s the first ransomware built, in part, based on a proof-of-concept from security researchers who previously marketed their computer code as a way to bypass Windows 10 security protocols as part of otherwise legitimate tests.

The discovery of the Thanos malware family coincided with a 25% uptick in overall ransomware attacks during the first three months of this year, compared to the final three months of 2019. The specialty insurer Beazley Group reported Tuesday that the number of incidents where attackers exploited its clients’ security vulnerabilities continued to climb, particularly in the manufacturing and financial sectors.

Those figures come after Beazley reported in March that ransomware claims more than doubled in 2019, even as the FBI has raced to catch up to the problem.


Recorded Future researchers say they have observed hackers behind Thanos updating the software repeatedly over the past six months, resulting in 12 to 17 classes of malware “depending on the options and settings.” Some versions specialize in defeating the Malwarebytes antivirus software, for instance, while others subvert Windows Defender, empty a victim’s recycle bin, or access data in different ways.

Undergirding much of that functionality is a warped version of “RIPlace,” a security testing tool built to help researchers alter files while evading most antivirus products, according to Nyotron, the security vendor that publicly disclosed RIPlace in November.

By introducing RIPlace, Nyotron researchers said their goal was to alert security firms to a way that ransomware attackers could slip past their detection. Two firms, Kaspersky and Carbon Black, updated their software at time, while many others did not, according to Bleeping Computer.

Members of cybercriminal forums had begun marketing the RIPlace trick by January, two months after the tool became public, according to Recorded Future.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts