{
	"id": "a13b9d29-f514-4df2-8458-71baf4287a38",
	"created_at": "2026-04-06T00:16:49.489142Z",
	"updated_at": "2026-04-10T03:21:29.935569Z",
	"deleted_at": null,
	"sha1_hash": "5c62fb01e93d9b2e4bfcf11f0d2445f1a18ec1cc",
	"title": "Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1134006,
	"plain_text": "Thanos Ransomware Evading Anti-ransomware Protection With\r\nRIPlace Tactic\r\nBy Priyanka Shinde\r\nPublished: 2020-11-18 · Archived: 2026-04-05 18:02:03 UTC\r\nRansomware has come a long way in cyberspace by continuous improvement in its techniques and tactics in\r\nencrypting system files. Over the years ransomware has improvised itself by moving from PE to non-PE and\r\nstandalone payloads, by using different compilers and complex packers. To deal with such variations, behaviour-based detection and Anti-ransomware solutions plays a vital role as the activity of the ransomware is targeted\r\nwhich no one can avoid.\r\nRansomware authors have now started injecting their malicious payloads into Windows genuine system processes,\r\nwhich are usually white-listed, encrypting the files by bypassing security solutions — they have always been\r\nfound hunting for vulnerable apertures and abusing them the moment it gets publicly exposed.\r\nRecently, we observed a similar strain of ransomware (named as Thanos Ransomware) trying to evade traditional\r\nAnti-Ransomware solutions by implementing different techniques which include process injection and the latest\r\nRIPlace tactic.\r\nLast year researchers at Nyotron had furnished proof of concept (POC) of RIPlace tactic that can potentially\r\nencrypt files without getting identified by the anti-ransomware or Endpoint Detection and Response (EDR)\r\nsolutions.\r\nTechnical Analysis\r\nThe Thanos Ransomware has been found to use multiple features, in an attempt to bypass Anti-Virus (AV)\r\nproducts.\r\nThe Infection Vector is not clear yet but there is a PowerShell script that contains another double Base64 encoded\r\nPowerShell which contains inline C# code. The first script executes the embedded PowerShell script and creates\r\nprocesses of “notepad” in hidden mode. The C# code present in the second script is basically taken from the\r\nUrban Bishop code of the Sharp-Suite framework present on Github. The PID of the notepad processes created is\r\npassed to this C# code as the argument. After this, the script is distributed laterally to all the machines connected\r\nin the network.\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 1 of 8\n\nFig.1 Flow of execution of different modules\r\nFig.2 First PowerShell script containing encrypted script and process creation code\r\nThe function call contains Base64 encoded shellcode (shown in Fig.3), which is then injected to the notepad\r\nprocess. The shellcode contains encoded .Net payload. This payload is the variant of Thanos ransomware which\r\nencrypts files on the targeted machine.\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 2 of 8\n\nFig.3 Encrypted shellcode in the C# code\r\nThere are different modules in the Thanos framework. Some of the interesting ones being-1. AntiKill – As shown in fig. 4, uses the function named, IamInmortal() to make the process immortal by making\r\nchanges in the process security descriptor.\r\nFig.4 AntiKill code in .Net payload\r\n2. Anti-Analysis – Used to identify the presence of debugger or virtual environment and if found so, terminating\r\nthe sample.\r\nFig.5 Anti-analysis code in .Net payload\r\n3. Anti-Sniffer – Stops following processes that are usually used for analysis-https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 3 of 8\n\n4. AwakeMe – Responsible for implementing Wake-on-LAN. (A detailed description of Wake-on-LAN can be\r\nfound in our earlier blog)\r\n5. Encryptions – Contains all the encryption-related functions like AES-CBC encryption, decryption, reading data\r\nfrom files, writing data to files.\r\n6. CryptographyHelper – RSA encryption implemented.\r\n7. NetworkSpreading – Downloads an application of Power Admin i.e exe (this allows to execute Windows\r\nprogram on a remote machine) and executes the current sample on remote machines.\r\n8. MutexHelper – It checks for the presence of below mutex to check whether the sample has already been\r\nexecuted on the system –\r\n“Global\\\\3747bdbf-0ef0-42d8-9234-70d68801f407”\r\n9. ProcessCritical – Checks whether the process is running with admin privileges.\r\n10. RIP – Implementation of RIPlace tactic which is discussed later.\r\n11. Shortcut – Creates shortcut at Startup folder with the target filename as the ransom note kept at the %Temp%\r\nfolder.\r\n12. WakeOnLan – Implements Wake-on-LAN by taking IP addresses of all the machines connected to the current\r\nmachine.\r\nThe inclusion of such different modules varies in different samples.\r\nUtmost precaution is taken and so it tries to hide the following processes-\r\n Taskmgr\r\ntaskmgr\r\nProcessHacker\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 4 of 8\n\nprocexp\r\nThe self-copy is also dropped at StartupFolder — it also tries to stop various services related to different AVs,\r\nrunning on the system by net.exe, using the commands shown in fig.6-\r\nFig.6 Tries to stop different services\r\nIt further deletes the shadow copy using vssadmin.exe, deletes all the backup files present on different drives,\r\nincluding the recycle bin using\r\ncmd.exe /c rd /s /q %SYSTEMDRIVE%\\\\$Recycle.bin\r\nEncryption\r\nThe files are encrypted and the filename is appended with the extension ‘.locked’. The encryption is performed\r\nonly for the files with the extensions given below-https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 5 of 8\n\nbco, one, dat, txt, vib, vbm, vbk, jpeg, gif, lst, tbl, cdx, log, fpt, jpg, png, php, cs, cpp, rar, zip, html, htm, xlsx, xls,\r\navi, mp4, ppt, doc, docx, sxi, sxw, odt, hwp, tar, bz2, mkv, eml, msg, ost, pst, edb, sql, accdb, mdb, dbf, odb, myd,\r\nphp, java, cpp, pas, asm, key, pfx, pem, p12, csr, gpg, aes, vsd, odg, raw, nef, svg, psd, vmx, vmdk, vdi, lay6,\r\nsqlite3, sqlitedb, accdb, java, class, mpeg, djvu, tiff, backup, pdf, cert, docm, xlsm, dwg, bak, qbw, nd, tlg, lgb,\r\npptx, mov, xdw, ods, wav, mp3, aiff, flac, m4a, csv, sql, ora, mdf, ldf, ndf, dtsx, rdl, dim, mrimg, qbb, rtf, 7z\r\nFig.7 Encrypted files\r\nThe files are encrypted with AES-CBC and the key used in encryption is then encrypted with RSA and is\r\nappended in the Ransom note (as shown in Fig.8). The complete file is encrypted if the file size is less than 10MB,\r\notherwise, only file data up to the size of 10MB is encrypted.\r\nFig.8 Ransom Note\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 6 of 8\n\nBut the most important and a novel technique used by Thanos to evade anti-ransomware solutions is the RIPlace\r\ntactic that assets Microsoft Windows file Rename functionality! It helps the ransomware to hide from modern anti-ransomware solutions.\r\nIn this technique, a malware can call DefineDosDevice, a genuine function that creates a symlink and can give an\r\narbitrary name (for example, ‘Resolve’ in this case) to the target/destination file path. When we make a call to\r\nrename function, the filter driver fails to parse the destination path in the callback function when using the\r\ncommon routine FltGetDestinationFileNameInformation. So, instead of returning the new path, it returns an error,\r\nhowever, the Rename call gets succeeded.\r\nFig.9 RIPlace Tactic\r\nAlong with this, taking it further, Thanos may attempt to overwrite the MBR, trying to display the below message-Conclusion\r\nThere have been several techniques used by ransomware families to evade the AV products earlier, increasing the\r\ncomplexity, the speed of their operations, termination of the analysis tools, but this time it has become more\r\nadvanced, challenging for anti-ransomware technologies. The use of almost all the possible anti-analysis\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 7 of 8\n\ntechniques and then hiding the new extensions of the encrypted files from the anti-ransomware solutions makes\r\nthe task much more difficult.\r\nIOCs:\r\n7BDD4B25E222B74E8F0DB54FCFC3C9EB\r\nAF0E33CF527B9C678A49D22801A4F5DC\r\nA15352BADB11DD0E072B265984878A1C\r\nBE60E389A0108B2871DFF12DFBB542AC\r\n 98880A1C245FBA3BAE21AC830ED9254E\r\n E01E11DCA5E8B08FC8231B1CB6E2048C\r\nSource: https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nhttps://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/"
	],
	"report_names": [
		"thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c62fb01e93d9b2e4bfcf11f0d2445f1a18ec1cc.pdf",
		"text": "https://archive.orkl.eu/5c62fb01e93d9b2e4bfcf11f0d2445f1a18ec1cc.txt",
		"img": "https://archive.orkl.eu/5c62fb01e93d9b2e4bfcf11f0d2445f1a18ec1cc.jpg"
	}
}