{
	"id": "d9885477-d882-468f-943c-a241a677d5cc",
	"created_at": "2026-04-06T00:15:31.205253Z",
	"updated_at": "2026-04-10T03:20:46.609535Z",
	"deleted_at": null,
	"sha1_hash": "7f20b76459f1254e40d6cb8ef5ae8af66a581fdd",
	"title": "Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59795,
	"plain_text": "Midas Ransomware : Tracing the Evolution of Thanos\r\nRansomware Variants\r\nBy Rajdeepsinh Dodia\r\nPublished: 2022-03-23 · Archived: 2026-04-05 21:55:21 UTC\r\nKey Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how\r\nransomware groups shifted tactics in 2021 to:\r\nlower sunk costs by using RaaS builders to reduce development time\r\nincrease payouts with double extortion tactics by using their own data leak sites\r\nextend the length and effectiveness of campaigns to get the highest investment returns by updating payloads\r\nand/or rebranding their own ransomware group\r\nAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in\r\nFebruary 2020. Written in C# language running on the .net framework, this serious offender reboots systems in\r\nsafeboot mode to bypass antivirus detection and includes a builder that enables threat actors to create new variants\r\nby customizing samples. Source code of Thanos builder also leaked and there are lots of different variants that\r\nhave been seen based on that. Here we discuss the four 2021 variants shown in Figure 1 below that used double\r\nextortion tactics.\r\nFigure 1:Timeline of Thanos derived ransomware variations\r\nBeginning in February 2021, the Prometheus ransomware variant emerged as one of the new Thanos built variants\r\nof the year. It encrypts files and appends “.[{ID}],.PROM[prometheushelp@mail{.}ch] , {ID}\r\n[prometheusdec@yahoo{.}com] “ extension and drop “RESTORE_FILES_INFO.txt,\r\nRESTORE_FILES_INFO.hta” ransom note. The Prometheus group which operates the variant has claimed to be\r\npart of the notorious REvil ransomware group responsible for the Kaseya supply chain attack, however experts\r\ndoubt the claim as a solid connection between the two has never been established. This variant is known for using\r\ndouble extortion techniques to make organizations pay that include threatening to leak valuable data on their leak\r\nsite. A quick check reveals that the leak site is currently down, but the threat still holds potential weight\r\nIn July 2021, another Thanos derived ransomware called Haron was discovered. It encrypts files and appends “.\r\n{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt”\r\nransom note. Haron ransomware group also have their own data leak site used for double extortion. This variant\r\nhas striking similarities with Avaddon ransomware based on examination of the ransom note and data leak site\r\ninformation.\r\nSeptember 2021, the Thanos builder was used again to develop the Spook ransomware variant. It encrypts files\r\nand appends “.{ID}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom\r\nnote. Similar to the other variants, Spook ransomware also uses double extortion techniques with their own data\r\nleak site as shown in the screenshot below.\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 1 of 14\n\nRounding out the year in October 2021, another Thanos ransomware family emerged with the Midas variant that\r\nappends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and\r\nRESTORE_FILES_INFO.txt” ransom note. In January 2022, ThreatLabz investigated a report of Midas\r\nransomware being slowly deployed over a 2-month period and the attacker was observed using different\r\npowershell scripts, remote access tools and an open source windows utility.\r\nLike the others, Midas features its own data leak site for double extortion. Interestingly, the site contains leaked\r\nvictim data from a Haron ransomware attack, suggesting to researchers that Midas is potentially linked to the\r\nHaron ransomware operators.\r\nFigure 2: Count of companies with leaked data by 2021 Thanos ransomware variants.\r\nIdentifying Thanos as the Source for the Prometheus, Haron, Spook, and Midas ransomware variants\r\nTracing the evolution of Thanos based ransomware variants back to the source provides threat researchers with an\r\ninside look at how ransomware gangs operate and evolve over time. To establish a connection between each\r\nvariant, the ThreatLabz team looked for the use of common signatures and indicators that would point back to the\r\nThanos ransomware builder. After determining that each variant was derived using the builder, the team set about\r\nanalyzing the similarities and differences in the shifting techniques adversaries employ to make new variants of a\r\ncommon origin ransomware more effective. These observations help us to gain insights into the cooperation\r\nhappening between adversary groups and better understand the development lifecycle and alternating impacts of\r\nransomware through its variants.\r\nThe analysis that follows walks you through identifying Thanos variants through an examination of common\r\nsignatures found in the ransom note key identifiers and the consistent use of a common file marker “GotAllDone”.\r\nFollowed by an in-depth analysis of the latest Midas variant.\r\nIdentifying Thanos Variants\r\nAll four of the 2021 Thanos based ransomware variants contain a key identifier with common signatures for the\r\nThanos builder found in the ransom notes as shown in Figure 3 below.\r\nFigure 3: Screenshots of ransom notes showing the common signature ‘Key Identifier’ for 2021 Thanos\r\nransomware variants: Prometheus, Haron, Spook and Midas.\r\nAnother similarity is that after encryption they append base 64 encoded key after encrypting data of every file.\r\nPrometheus, Haron, Spook, and Midasall contain the same FileMarker that is “GotAllDone” appended at the end\r\nof each encrypted file. Below screenshot displays the FileMarker info and Base64 encoded key appended after the\r\ndata encrypted by Midas ransomware.\r\nFigure 4: Screenshots of FileMarker and Base64 encoded key appended\r\nMidas Ransomware\r\nThe Midas data leak site currently displays data from 29 victim companies including data from several victims\r\npreviously seen on the Haron data leak site which is now inactive.\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 2 of 14\n\nFigure 5: Screenshot of the Midas ransomware data leak site index page.\r\nFigure 6: Screenshot of victim companies listed on Midas ransomware data leak site.\r\nTechnical analysis\r\nMidas ransomware is written in C# and obfuscated using smartassembly. Once executed this variant starts\r\nterminating processes using taskkill.exe. It terminates processes that inhibit encryption processes and processes\r\nrelated to security software, database related programs so it can encrypt more files. Below is a list of the common\r\nprocesses typically terminated by Thanos based ransomware.\r\nMost commonly terminated processes:\r\nRaccineSettings.exe\r\nmspub.exe\r\nCNTAoSMgr.exe\r\nxfssvccon.exe\r\nmydesktopqos.exe\r\nsqlbrowser.exe\r\nsqlwriter.exe\r\ntbirdconfig.exe\r\nvisio.exe\r\nsqlservr.exe\r\nsqbcoreservice.exe\r\nthebat64.exe\r\nmysqld.exe\r\ndbeng50.exe\r\nNtrtscan.exe\r\nisqlplussvc.exe\r\nsynctime.exe\r\nfirefoxconfig.exe\r\nwinword.exe\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 3 of 14\n\nocomm.exe\r\nagntsvc.exe\r\ninfopath.exe\r\nocautoupds.exe\r\nmysqld-opt.exe\r\nsqlagent.exe\r\npowerpnt.exe\r\nsteam.exe\r\nzoolz.exe\r\nencsvc.exe\r\nthebat.exe\r\ntmlisten.exe\r\nmbamtray.exe\r\nPccNTMon.exe\r\nmydesktopservice.exe\r\nexcel.exe\r\nonenote.exe\r\nmsftesql.exe\r\nwordpad.exe\r\nocssd.exe\r\nmysqld-nt.exe\r\noracle.exe\r\ndbsnmp.exe\r\noutlook.exe\r\nmsaccess.exe\r\nIt also deletes the process, schedule task and registry related to the Raccine tool. It is a ransomware prevention\r\ntool that protects the system from ransomware processes to delete shadow copy.\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 4 of 14\n\nPrometheus, Haron, Spook and Midas have been seen terminating Raccine related artifacts.\r\nFigure 7: Command used to terminate Vaccine process and other artifacts.\r\nThe Midas variant is designed to stop service related to security products, database software, backups and email\r\nexchanges.\r\nList of most commonly disrupted services:\r\nstart Dnscache /y\r\nstop msexchangeimap4 /y\r\nstop MSSQLServerADHelper /y\r\nstart FDResPub /y\r\nstop ARSM /y\r\nstop McAfeeEngineService /y\r\nstart SSDPSRV /y\r\nstop MSSQL$BKUPEXEC /y\r\nstop VeeamHvIntegrationSvc /y\r\nstart upnphost /y\r\nstop unistoresvc_1af40a /y\r\nstop MSSQLServerADHelper100 /y\r\nstop avpsus /y\r\nstop BackupExecAgentAccelerator /y\r\nstop McAfeeFramework /y\r\nstop McAfeeDLPAgentService /y\r\nstop MSSQL$ECWDB2 /y\r\nstop VeeamMountSvc /y\r\nstop mfewc /y\r\nstop audioendpointbuilder /y\r\nstop MSSQLServerOLAPService /y\r\nstop BMR Boot Service /y\r\nstop BackupExecAgentBrowser /y\r\nstop McAfeeFrameworkMcAfeeFramework /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 5 of 14\n\nstop NetBackup BMR MTFTP Service /y\r\nstop MSSQL$PRACTICEMGT /y\r\nstop VeeamNFSSvc /y\r\nstop DefWatch /y\r\nstop BackupExecDeviceMediaService /y\r\nstop MySQL57 /y\r\nstop ccEvtMgr /y\r\nstop MSSQL$PRACTTICEBGC /y\r\nstop McShield /y\r\nstop ccSetMgr /y\r\nstop BackupExecJobEngine /y\r\nstop VeeamRESTSvc /y\r\nstop SavRoam /y\r\nstop MSSQL$PROD /y\r\nstop MySQL80 /y\r\nstop RTVscan /y\r\nstop AcronisAgent /y\r\nstop McTaskManager /y\r\nstop QBFCService /y\r\nstop BackupExecManagementService /y\r\nstop VeeamTransportSvc /y\r\nstop QBIDPService /y\r\nstop MSSQL$PROFXENGAGEMENT /y\r\nstop OracleClientCache80 /y\r\nstop Intuit.QuickBooks.FCS /y\r\nstop Antivirus /y\r\nstop mfefire /y\r\nstop QBCFMonitorService /y\r\nstop BackupExecRPCService /y\r\nstop wbengine /y\r\nstop YooBackup /y\r\nstop MSSQL$SBSMONITORING /\r\nstop ReportServer$SQL_2008 /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 6 of 14\n\nstop YooIT /y\r\nstop MSSQL$SBSMONITORING /y\r\nstop mfemms /y\r\nstop zhudongfangyu /y\r\nstop AVP /y\r\nstop wbengine /y\r\nstop stc_raw_agent /y\r\nstop BackupExecVSSProvider /y\r\nstop RESvc /y\r\nstop VSNAPVSS /y\r\nstop MSSQL$SHAREPOINT /y\r\nstop mfevtp /y\r\nstop VeeamTransportSvc /y\r\nstop DCAgent /y\r\nstop sms_site_sql_backup /y\r\nstop VeeamDeploymentService /y\r\nstop bedbg /y\r\nstop SQLAgent$BKUPEXEC /y\r\nstop VeeamNFSSvc /y\r\nstop MSSQL$SQL_2008 /y\r\nstop MSSQL$SOPHOS /y\r\nstop veeam /y\r\nstop EhttpSrv /y\r\nstop SQLAgent$CITRIX_METAFRAME /y\r\nstop PDVFSService /y\r\nstop MMS /y\r\nstop sacsvr /y\r\nstop BackupExecVSSProvider /y\r\nstop MSSQL$SQLEXPRESS /y\r\nstop SQLAgent$CXDB /y\r\nstop BackupExecAgentAccelerator /y\r\nstop ekrn /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 7 of 14\n\nstop SAVAdminService /y\r\nstop BackupExecAgentBrowser /y\r\nstop mozyprobackup /y\r\nstop SQLAgent$ECWDB2 /y\r\nstop BackupExecDiveciMediaService /y\r\nstop MSSQL$SYSTEM_BGC /y\r\nstop SAVService /y\r\nstop BackupExecJobEngine /y\r\nstop EPSecurityService /y\r\nstop SQLAgent$PRACTTICEBGC /y\r\nstop BackupExecManagementService /y\r\nstop MSSQL$VEEAMSQL2008R2 /y\r\nstop SepMasterService /y\r\nstop BackupExecRPCService /y\r\nstop MSSQL$TPS /y\r\nstop SQLAgent$PRACTTICEMGT /y\r\nstop AcrSch2Svc /y\r\nstop EPUpdateService /y\r\nstop ShMonitor /y\r\nstop AcronisAgent /y\r\nstop ntrtscan /y\r\nstop SQLAgent$PROD /y\r\nstop CASAD2DWebSvc /y\r\nstop MSSQL$TPSAMA /y\r\nstop Smcinst /y\r\nstop CAARCUpdateSvc /y\r\nstop EsgShKernel /y\r\nstop SQLAgent$PROFXENGAGEMENT /y\r\nstop sophos /y\r\nstop PDVFSService /y\r\nstop SmcService /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 8 of 14\n\nstop MsDtsServer /y\r\nstop MSSQL$VEEAMSQL2008R2 /y\r\nstop SQLAgent$SBSMONITORING /y\r\nstop IISAdmin /y\r\nstop ESHASRV /y\r\nstop SntpService /y\r\nstop MSExchangeES /y\r\nstop SDRSVC /y\r\nstop SQLAgent$SHAREPOINT /y\r\nstop EraserSvc11710 /y\r\nstop MSSQL$VEEAMSQL2012 /y\r\nstop sophossps /y\r\nstop MsDtsServer100 /y\r\nstop FA_Scheduler /y\r\nstop SQLAgent$SQL_2008 /y\r\nstop NetMsmqActivator /y\r\nstop SQLAgent$VEEAMSQL2008R2 /y\r\nstop SQLAgent$SOPHOS /y\r\nstop MSExchangeIS /y\r\nstop MSSQLFDLauncher$PROFXENGAGEMENT /y\r\nstop SQLAgent$SQLEXPRESS /y\r\nstop SamSs /y\r\nstop KAVFS /y\r\nstop svcGenericHost /y\r\nstop ReportServer /y\r\nstop SQLWriter /y\r\nstop SQLAgent$SYSTEM_BGC /y\r\nstop MsDtsServer110 /y\r\nstop MSSQLFDLauncher$SBSMONITORING /y\r\nstop swi_filter /y\r\nstop POP3Svc /y\r\nstop KAVFSGT /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 9 of 14\n\nstop SQLAgent$TPS /y\r\nstop MSExchangeMGMT /y\r\nstop VeeamBackupSvc /y\r\nstop swi_service /y\r\nstop SMTPSvc /y\r\nstop MSSQLFDLauncher$SHAREPOINT /y\r\nstop SQLAgent$TPSAMA /y\r\nstop ReportServer$SQL_2008 /y\r\nstop kavfsslp /y\r\nstop swi_update /y\r\nstop msftesql$PROD /y\r\nstop VeeamBrokerSvc /y\r\nstop SQLAgent$VEEAMSQL2008R2 /y\r\nstop SstpSvc /y\r\nstop MSSQLFDLauncher$SQL_2008 /y\r\nstop swi_update_64 /y\r\nstop MSExchangeMTA /y\r\nstop klnagent /y\r\nstop SQLAgent$VEEAMSQL2012 /y\r\nstop ReportServer$SYSTEM_BGC /y\r\nstop VeeamCatalogSvc /y\r\nstop TmCCSF /y\r\nstop MSOLAP$SQL_2008 /y\r\nstop MSSQLFDLauncher$SYSTEM_BGC /y\r\nstop SQLBrowser /y\r\nstop UI0Detect /y\r\nstop macmnsvc /y\r\nstop tmlisten /y\r\nstop MSExchangeSA /y\r\nstop VeeamCloudSvc /y\r\nstop SQLSafeOLRService /y\r\nstop ReportServer$TPS /y\r\nstop MSSQLFDLauncher$TPS /y\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 10 of 14\n\nstop TrueKey /y\r\nstop MSOLAP$SYSTEM_BGC /y\r\nstop masvc /y\r\nstop SQLSERVERAGENT /y\r\nstop W3Svc /y\r\nstop VeeamDeploymentService /y\r\nstop TrueKeyScheduler /y\r\nstop MSExchangeSRS /y\r\nstop MSSQLFDLauncher$TPSAMA /y\r\nstop SQLTELEMETRY /y\r\nstop ReportServer$TPSAMA /y\r\nstop MBAMService /y\r\nstop TrueKeyServiceHelper /y\r\nstop MSOLAP$TPS /y\r\nstop VeeamDeploySvc /y\r\nstop SQLTELEMETRY$ECWDB2 /y\r\nstop msexchangeadtopology /y\r\nstop MSSQLSERVER /y\r\nstop WRSVC /y\r\nstop AcrSch2Svc /y\r\nstop MBEndpointAgent /y\r\nstop mssql$vim_sqlexp /y\r\nstop MSOLAP$TPSAMA /y\r\nstop VeeamEnterpriseManagerSvc /y\r\nstop vapiendpoint /y\r\nAnother technique used by most variants of Thanos based ransomware is to evade detection by finding and\r\nterminating processes for analysis tools by searching the list of keywords shown below:\r\nhttp analyzer stand-alone\r\nNetworkTrafficView\r\nCFF Explorer\r\nfiddler\r\nHTTPNetworkSniffer\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 11 of 14\n\nprotection_id\r\neffetech http sniffer\r\ntcpdump\r\npe-sieve\r\nfiresheep\r\nintercepter\r\nMegaDumper\r\nIEWatch Professional\r\nIntercepter-NG\r\nUnConfuserEx\r\ndumpcap\r\nollydbg\r\nUniversal_Fixer\r\nwireshark\r\ndnspy-x86\r\nNoFuserEx\r\nwireshark portable\r\ndotpeek\r\ncheatengine\r\nsysinternals tcpview\r\ndotpeek64\r\nNetworkMiner\r\nRDG Packer Detector\r\nFurther, it changes the configuration of specific services as shown below.\r\nFigure 8: Screenshot of service configuration changes.\r\nIt deletes shadow copy using powershell command so the system is unable to recover data.\r\nCommand : \"powershell.exe\" \u0026amp; Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\nFile Encryption\r\nMidas ransomware searches through each drive and directory and encrypts the files. It creates a random key and\r\nencrypts a file using AES algorithm in CBC mode. Then the AES key is encrypted by the RSA public key as\r\nshown in the screenshot below. The encryption key is encoded in base64 and appended to each impacted file. It\r\nalso added FileMarker “GotAllDone” at the end of each encrypted file. The encrypted key is also saved in the\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 12 of 14\n\nRegistry under “HKEY_CURRENT_USER\\SOFTWARE\\KEYID\\myKeyID”. After encryption, it drops the\r\n“reload1.lnk” file to open a ransom note at every restart.\r\nPath: \"C:\\\\Users\\\\{Username}\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\\\\reload1.lnk\".\r\nFigure 9: Screenshot of encrypting AES key with RSA public key.\r\nIt encrypts the file contained below extensions:\r\nAfter encryption it appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and\r\nRESTORE_FILES_INFO.txt” ransom note. Below is the screenshot of the ransom note.\r\nRESTORE_FILES_INFO.hta doesn’t contain Key ID but RESTORE_FILES_INFO.txt contains key ID.\r\nFigure 10: Ransom note of Midas\r\nCloud Sandbox Detection\r\nFigure 11: Zscaler Cloud Sandbox detection of Midas ransomware\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various\r\nlevels.\r\nWin32.Ransom.Thanos\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.thanos\r\nWin32.Ransom.Prometheus\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.prometheus\r\nWin32.Ransom.Spook\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.spook\r\nWin32.Ransom.Haron\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.haron\r\nWin32.Ransom.Midas\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.midas\r\nMITRE ATT\u0026amp;CK Technique\r\nID\r\nTechnique\r\nT1059\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 13 of 14\n\nCommand and Scripting Interpreter\r\nT1569.002\r\nService Execution\r\nT1112\r\nModify Registry\r\nT1562.001\r\nDisable or Modify Tools\r\nT1010\r\nApplication Window Discovery\r\nT1057\r\nProcess Discovery\r\nT1518.001\r\nSecurity Software Discovery\r\nT1083\r\nFile and Directory Discovery\r\nT1490\r\nInhibit System Recovery\r\nT1489\r\nService Stop\r\nT1486\r\nData Encrypted for Impact\r\nIOC\r\nMD5:3767a7d073f5d2729158578a7006e4c4\r\nSource: https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nhttps://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/"
	],
	"report_names": [
		"midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants"
	],
	"threat_actors": [],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f20b76459f1254e40d6cb8ef5ae8af66a581fdd.pdf",
		"text": "https://archive.orkl.eu/7f20b76459f1254e40d6cb8ef5ae8af66a581fdd.txt",
		"img": "https://archive.orkl.eu/7f20b76459f1254e40d6cb8ef5ae8af66a581fdd.jpg"
	}
}