{
	"id": "cbcb1322-7138-4160-8c6d-a1757fbf1405",
	"created_at": "2026-04-06T00:10:55.60991Z",
	"updated_at": "2026-04-10T03:20:39.121441Z",
	"deleted_at": null,
	"sha1_hash": "d7947f689576503936bc9da16ee525a49a44e315",
	"title": "A Study of Thanos Ransomware Variants | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 120597,
	"plain_text": "A Study of Thanos Ransomware Variants | Zscaler Blog\r\nBy Rajdeepsinh Dodia\r\nPublished: 2022-03-23 · Archived: 2026-04-05 16:41:02 UTC\r\nKey Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how\r\nransomware groups shifted tactics in 2021 to:\r\nlower sunk costs by using RaaS builders to reduce development time\r\nincrease payouts with double extortion tactics by using their own data leak sites\r\nextend the length and effectiveness of campaigns to get the highest investment returns by updating payloads\r\nand/or rebranding their own ransomware group\r\nAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020.\r\nWritten in C# language running on the .net framework, this serious offender reboots systems in safeboot mode to bypass\r\nantivirus detection and includes a builder that enables threat actors to create new variants by customizing samples. Source\r\ncode of Thanos builder also leaked and there are lots of different variants that have been seen based on that. Here we discuss\r\nthe four 2021 variants shown in Figure 1 below that used double extortion tactics.\r\nImage\r\nFigure 1:Timeline of Thanos derived ransomware variations\r\nBeginning in February 2021, the Prometheus ransomware variant emerged as one of the new Thanos built variants of the\r\nyear. It encrypts files and appends “.[{ID}],.PROM[prometheushelp@mail{.}ch] , {ID}[prometheusdec@yahoo{.}com] “\r\nextension and drop “RESTORE_FILES_INFO.txt, RESTORE_FILES_INFO.hta” ransom note. The Prometheus group\r\nwhich operates the variant has claimed to be part of the notorious REvil ransomware group responsible for the Kaseya\r\nsupply chain attack, however experts doubt the claim as a solid connection between the two has never been established. \r\nThis variant is known for using double extortion techniques to make organizations pay that include threatening to leak\r\nvaluable data on their leak site. A quick check reveals that the leak site is currently down, but the threat still holds potential\r\nweight \r\nIn July 2021, another  Thanos derived ransomware called Haron was discovered. It encrypts files and appends  “.{Targeted\r\nCompany name}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note.\r\nHaron ransomware group also have their own data leak site used for double extortion. This variant has striking similarities\r\nwith Avaddon ransomware based on examination of the ransom note and data leak site information. \r\nSeptember 2021, the Thanos builder was used again to develop the Spook ransomware variant. It encrypts files and appends \r\n“.{ID}” extension and drops “RESTORE_FILES_INFO.hta,RESTORE_FILES_INFO.txt” ransom note. Similar to the\r\nother variants, Spook ransomware also uses double extortion techniques with their own data leak site as shown in the\r\nscreenshot below. \r\nRounding out the year in October 2021, another Thanos ransomware family emerged with the Midas variant that appends “.\r\n{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt”\r\nransom note. In January 2022, ThreatLabz investigated a report of Midas ransomware being slowly deployed over a 2-month\r\nperiod and the attacker was observed using different powershell scripts, remote access tools and an open source windows\r\nutility. \r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 1 of 11\n\nLike the others, Midas features its own data leak site for double extortion. Interestingly, the site contains leaked victim data\r\nfrom a Haron ransomware attack, suggesting to researchers that Midas is potentially linked to the Haron ransomware\r\noperators. \r\nImage\r\nFigure 2: Count of companies with leaked data by 2021 Thanos ransomware variants.\r\nIdentifying Thanos as the Source for the  Prometheus, Haron, Spook, and Midas\r\nransomware variants\r\nTracing the evolution of Thanos based ransomware variants back to the source provides threat researchers with an inside\r\nlook at how ransomware gangs operate and evolve over time. To establish a connection between each variant, the\r\nThreatLabz team looked for the use of common signatures and indicators that would point back to the Thanos ransomware\r\nbuilder. After determining that each variant was derived using the builder, the team set about analyzing the similarities and\r\ndifferences in the shifting techniques adversaries employ to make new variants of a common origin ransomware more\r\neffective. These observations help us to gain insights into the cooperation happening between adversary groups and better\r\nunderstand the development lifecycle and alternating impacts of ransomware through its variants.\r\nThe analysis that follows walks you through identifying Thanos variants through an examination of common signatures\r\nfound in the ransom note key identifiers and the consistent use of a common file marker “GotAllDone”. Followed by an in-depth analysis of the latest Midas variant.\r\nIdentifying Thanos Variants\r\nAll four of the 2021 Thanos based ransomware variants contain a key identifier with common signatures for the Thanos\r\nbuilder found in the ransom notes as shown in Figure 3 below.\r\nImage\r\nImage\r\nFigure 3: Screenshots of ransom notes showing the common signature ‘Key Identifier’ for 2021 Thanos ransomware\r\nvariants: Prometheus, Haron, Spook and Midas. \r\nAnother similarity is that after encryption they append base 64 encoded key after encrypting data of every file. Prometheus,\r\nHaron, Spook, and Midasall contain the same FileMarker that is “GotAllDone” appended at the end of each encrypted file.\r\nBelow screenshot displays the FileMarker info and Base64 encoded key appended after the data encrypted by Midas\r\nransomware.\r\nImage\r\nFigure 4: Screenshots of FileMarker and Base64 encoded key appended\r\nMidas Ransomware\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 2 of 11\n\nThe Midas data leak site currently displays data from 29 victim companies including data from several victims previously\r\nseen on the Haron data leak site which is now inactive. \r\nImage\r\nFigure 5: Screenshot of the Midas ransomware data leak site index page.\r\nImage\r\nFigure 6: Screenshot of victim companies listed on Midas ransomware data leak site.\r\nTechnical analysis\r\nMidas ransomware is written in C# and obfuscated using smartassembly. Once executed this variant starts terminating\r\nprocesses using taskkill.exe. It terminates processes that inhibit encryption processes and processes related to security\r\nsoftware, database related programs so it can encrypt more files. Below is a list of the common processes typically\r\nterminated by Thanos based ransomware.\r\nMost commonly terminated processes:\r\nRaccineSettings.exe\r\nmspub.exe\r\nCNTAoSMgr.exe\r\nxfssvccon.exe\r\nmydesktopqos.exe\r\nsqlbrowser.exe\r\nsqlwriter.exe\r\ntbirdconfig.exe\r\nvisio.exe\r\nsqlservr.exe\r\nsqbcoreservice.exe\r\nthebat64.exe\r\nmysqld.exe\r\ndbeng50.exe\r\nNtrtscan.exe\r\nisqlplussvc.exe\r\nsynctime.exe\r\nfirefoxconfig.exe\r\nwinword.exe\r\nocomm.exe\r\nagntsvc.exe\r\ninfopath.exe\r\nocautoupds.exe\r\nmysqld-opt.exe\r\nsqlagent.exe\r\npowerpnt.exe\r\nsteam.exe\r\nzoolz.exe\r\nencsvc.exe\r\nthebat.exe\r\ntmlisten.exe\r\nmbamtray.exe\r\nPccNTMon.exe\r\nmydesktopservice.exe\r\nexcel.exe\r\nonenote.exe\r\nmsftesql.exe\r\nwordpad.exe\r\nocssd.exe\r\nmysqld-nt.exe\r\noracle.exe\r\ndbsnmp.exe\r\noutlook.exe\r\nmsaccess.exe\r\nIt also deletes the process, schedule task and registry related to the Raccine tool. It is a ransomware prevention tool that\r\nprotects the system from ransomware processes to delete shadow copy.\r\nPrometheus, Haron, Spook and Midas have been seen terminating Raccine related artifacts.\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 3 of 11\n\nImage\r\nFigure 7: Command used to terminate Vaccine process and other artifacts. \r\nThe Midas variant is designed to stop service related to security products, database software, backups and  email exchanges.\r\nList of most commonly disrupted services:\r\nstart Dnscache /y stop msexchangeimap4 /y stop MSSQLServerADHelper /y\r\nstart FDResPub /y stop ARSM /y stop McAfeeEngineService /y\r\nstart SSDPSRV /y stop MSSQL$BKUPEXEC /y stop VeeamHvIntegrationSvc /y\r\nstart upnphost /y stop unistoresvc_1af40a /y stop MSSQLServerADHelper100 /y\r\nstop avpsus /y stop BackupExecAgentAccelerator /y stop McAfeeFramework /y\r\nstop McAfeeDLPAgentService\r\n/y\r\nstop MSSQL$ECWDB2 /y stop VeeamMountSvc /y\r\nstop mfewc /y stop audioendpointbuilder /y stop MSSQLServerOLAPService /y\r\nstop BMR Boot Service /y stop BackupExecAgentBrowser /y\r\nstop\r\nMcAfeeFrameworkMcAfeeFramework\r\n/y\r\nstop NetBackup BMR MTFTP\r\nService /y\r\nstop MSSQL$PRACTICEMGT /y stop VeeamNFSSvc /y\r\nstop DefWatch /y stop BackupExecDeviceMediaService /y stop MySQL57 /y\r\nstop ccEvtMgr /y stop MSSQL$PRACTTICEBGC /y stop McShield /y\r\nstop ccSetMgr /y stop BackupExecJobEngine /y stop VeeamRESTSvc /y\r\nstop SavRoam /y stop MSSQL$PROD /y stop MySQL80 /y\r\nstop RTVscan /y stop AcronisAgent /y stop McTaskManager /y\r\nstop QBFCService /y stop BackupExecManagementService /y stop VeeamTransportSvc /y\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 4 of 11\n\nstop QBIDPService /y stop MSSQL$PROFXENGAGEMENT /y stop OracleClientCache80 /y\r\nstop Intuit.QuickBooks.FCS /y stop Antivirus /y stop mfefire /y\r\nstop QBCFMonitorService /y stop BackupExecRPCService /y stop wbengine /y\r\nstop YooBackup /y stop MSSQL$SBSMONITORING / stop ReportServer$SQL_2008 /y\r\nstop YooIT /y stop MSSQL$SBSMONITORING /y stop mfemms /y\r\nstop zhudongfangyu /y stop AVP /y stop wbengine /y\r\nstop stc_raw_agent /y stop BackupExecVSSProvider /y stop RESvc /y\r\nstop VSNAPVSS /y stop MSSQL$SHAREPOINT /y stop mfevtp /y\r\nstop VeeamTransportSvc /y stop DCAgent /y stop sms_site_sql_backup /y\r\nstop VeeamDeploymentService\r\n/y\r\nstop bedbg /y stop SQLAgent$BKUPEXEC /y\r\nstop VeeamNFSSvc /y stop MSSQL$SQL_2008 /y stop MSSQL$SOPHOS /y\r\nstop veeam /y stop EhttpSrv /y\r\nstop\r\nSQLAgent$CITRIX_METAFRAME\r\n/y\r\nstop PDVFSService /y stop MMS /y stop sacsvr /y\r\nstop BackupExecVSSProvider\r\n/y\r\nstop MSSQL$SQLEXPRESS /y stop SQLAgent$CXDB /y\r\nstop\r\nBackupExecAgentAccelerator /y\r\nstop ekrn /y stop SAVAdminService /y\r\nstop BackupExecAgentBrowser\r\n/y\r\nstop mozyprobackup /y stop SQLAgent$ECWDB2 /y\r\nstop\r\nBackupExecDiveciMediaService\r\n/y\r\nstop MSSQL$SYSTEM_BGC /y stop SAVService /y\r\nstop BackupExecJobEngine /y stop EPSecurityService /y stop SQLAgent$PRACTTICEBGC /y\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 5 of 11\n\nstop\r\nBackupExecManagementService\r\n/y\r\nstop MSSQL$VEEAMSQL2008R2 /y stop SepMasterService /y\r\nstop BackupExecRPCService /y stop MSSQL$TPS /y stop SQLAgent$PRACTTICEMGT /y\r\nstop AcrSch2Svc /y stop EPUpdateService /y stop ShMonitor /y\r\nstop AcronisAgent /y stop ntrtscan /y stop SQLAgent$PROD /y\r\nstop CASAD2DWebSvc /y stop MSSQL$TPSAMA /y stop Smcinst /y\r\nstop CAARCUpdateSvc /y stop EsgShKernel /y\r\nstop\r\nSQLAgent$PROFXENGAGEMENT\r\n/y\r\nstop sophos /y stop PDVFSService /y stop SmcService /y\r\nstop MsDtsServer /y stop MSSQL$VEEAMSQL2008R2 /y\r\nstop SQLAgent$SBSMONITORING\r\n/y\r\nstop IISAdmin /y stop ESHASRV /y stop SntpService /y\r\nstop MSExchangeES /y stop SDRSVC /y stop SQLAgent$SHAREPOINT /y\r\nstop EraserSvc11710 /y stop MSSQL$VEEAMSQL2012 /y stop sophossps /y\r\nstop MsDtsServer100 /y stop FA_Scheduler /y stop SQLAgent$SQL_2008 /y\r\nstop NetMsmqActivator /y stop SQLAgent$VEEAMSQL2008R2 /y stop SQLAgent$SOPHOS /y\r\nstop MSExchangeIS /y\r\nstop\r\nMSSQLFDLauncher$PROFXENGAGEMENT\r\n/y\r\nstop SQLAgent$SQLEXPRESS /y\r\nstop SamSs /y stop KAVFS /y stop svcGenericHost /y\r\nstop ReportServer /y stop SQLWriter /y stop SQLAgent$SYSTEM_BGC /y\r\nstop MsDtsServer110 /y\r\nstop MSSQLFDLauncher$SBSMONITORING\r\n/y\r\nstop swi_filter /y\r\nstop POP3Svc /y stop KAVFSGT /y stop SQLAgent$TPS /y\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 6 of 11\n\nstop MSExchangeMGMT /y stop VeeamBackupSvc /y stop swi_service /y\r\nstop SMTPSvc /y stop MSSQLFDLauncher$SHAREPOINT /y stop SQLAgent$TPSAMA /y\r\nstop ReportServer$SQL_2008 /y stop kavfsslp /y stop swi_update /y\r\nstop msftesql$PROD /y stop VeeamBrokerSvc /y\r\nstop SQLAgent$VEEAMSQL2008R2\r\n/y\r\nstop SstpSvc /y stop MSSQLFDLauncher$SQL_2008 /y stop swi_update_64 /y\r\nstop MSExchangeMTA /y stop klnagent /y stop SQLAgent$VEEAMSQL2012 /y\r\nstop\r\nReportServer$SYSTEM_BGC\r\n/y\r\nstop VeeamCatalogSvc /y stop TmCCSF /y\r\nstop MSOLAP$SQL_2008 /y stop MSSQLFDLauncher$SYSTEM_BGC /y stop SQLBrowser /y\r\nstop UI0Detect /y stop macmnsvc /y stop tmlisten /y\r\nstop MSExchangeSA /y stop VeeamCloudSvc /y stop SQLSafeOLRService /y\r\nstop ReportServer$TPS /y stop MSSQLFDLauncher$TPS /y stop TrueKey /y\r\nstop MSOLAP$SYSTEM_BGC\r\n/y\r\nstop masvc /y stop SQLSERVERAGENT /y\r\nstop W3Svc /y stop VeeamDeploymentService /y stop TrueKeyScheduler /y\r\nstop MSExchangeSRS /y stop MSSQLFDLauncher$TPSAMA /y stop SQLTELEMETRY /y\r\nstop ReportServer$TPSAMA /y stop MBAMService /y stop TrueKeyServiceHelper /y\r\nstop MSOLAP$TPS /y stop VeeamDeploySvc /y stop SQLTELEMETRY$ECWDB2 /y\r\nstop msexchangeadtopology /y stop MSSQLSERVER /y stop WRSVC /y\r\nstop AcrSch2Svc /y stop MBEndpointAgent /y stop mssql$vim_sqlexp /y\r\nstop MSOLAP$TPSAMA /y stop VeeamEnterpriseManagerSvc /y stop vapiendpoint /y\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 7 of 11\n\nAnother technique used by most variants of Thanos based ransomware is to evade detection by  finding and terminating\r\nprocesses for analysis tools by searching the list of keywords shown below:\r\nhttp analyzer stand-alone NetworkTrafficView CFF Explorer\r\nfiddler HTTPNetworkSniffer protection_id\r\neffetech http sniffer tcpdump pe-sieve\r\nfiresheep intercepter MegaDumper\r\nIEWatch Professional Intercepter-NG UnConfuserEx\r\ndumpcap ollydbg Universal_Fixer\r\nwireshark dnspy-x86 NoFuserEx\r\nwireshark portable dotpeek cheatengine\r\nsysinternals tcpview dotpeek64  \r\nNetworkMiner RDG Packer Detector  \r\nFurther, it changes the configuration of specific services as shown below.\r\nImage\r\nFigure 8: Screenshot of service configuration changes.\r\nIt deletes shadow copy using powershell command so the system is unable to recover data.\r\nCommand : \"powershell.exe\" \u0026 Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\nFile Encryption\r\nMidas ransomware searches through each drive and directory and encrypts the files. It creates a random key and encrypts a\r\nfile using Salsa20 algorithm. Then the Salsa20 key is encrypted by the RSA public key as shown in the screenshot below.\r\nThe encryption key is encoded in base64 and appended to each impacted file. It also added FileMarker “GotAllDone” at the\r\nend of each encrypted file. The encrypted key is also saved in the Registry under\r\n“HKEY_CURRENT_USER\\SOFTWARE\\KEYID\\myKeyID”. After encryption, it drops the “reload1.lnk” file to open a\r\nransom note at every restart.\r\nPath: \"C:\\\\Users\\\\{Username}\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start\r\nMenu\\\\Programs\\\\Startup\\\\reload1.lnk\".\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 8 of 11\n\nFigure 9: Screenshot of encrypting Salsa20 key with RSA public key.\r\nIt encrypts the file contained below extensions: Image\r\nAfter encryption it appends “.{Targeted Company name}” extension and drops “RESTORE_FILES_INFO.hta and\r\nRESTORE_FILES_INFO.txt” ransom note. Below is the screenshot of the ransom note. RESTORE_FILES_INFO.hta\r\ndoesn’t contain Key ID but RESTORE_FILES_INFO.txt contains key ID.\r\nImage\r\nFigure 10: Ransom note of Midas\r\nCloud Sandbox Detection\r\nImage\r\nFigure 11: Zscaler Cloud Sandbox detection of Midas ransomware\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.\r\nWin32.Ransom.Thanos\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.thanos\r\nWin32.Ransom.Prometheus\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.prometheus\r\nWin32.Ransom.Spook\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.spook\r\nWin32.Ransom.Haron\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.haron\r\nWin32.Ransom.Midas\r\nhttps://threatlibrary.zscaler.com/?threatname=win32.ransom.midas\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 9 of 11\n\nMITRE ATT\u0026CK Technique\r\nID Technique\r\nT1059 Command and Scripting Interpreter\r\nT1569.002 Service Execution\r\nT1112                                                  Modify Registry\r\nT1562.001                                                  Disable or Modify Tools\r\nT1010 Application Window Discovery\r\nT1057  Process Discovery\r\nT1518.001                                                  Security Software Discovery\r\nT1083 File and Directory Discovery\r\nT1490 Inhibit System Recovery\r\nT1489                                                  Service Stop\r\nT1486  Data Encrypted for Impact\r\nIOC\r\nMD5:3767a7d073f5d2729158578a7006e4c4\r\nAbout ThreatLabz\r\nThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring\r\nthat the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research\r\nand behavioral analysis, team members are involved in the research and development of new prototype modules for\r\nadvanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler\r\nproducts and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new\r\nand emerging threats on its portal, research.zscaler.com.\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 10 of 11\n\nFurther Reading: Zscaler Ransomware Protection\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nhttps://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants"
	],
	"report_names": [
		"midas-ransomware-tracing-evolution-thanos-ransomware-variants"
	],
	"threat_actors": [],
	"ts_created_at": 1775434255,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7947f689576503936bc9da16ee525a49a44e315.pdf",
		"text": "https://archive.orkl.eu/d7947f689576503936bc9da16ee525a49a44e315.txt",
		"img": "https://archive.orkl.eu/d7947f689576503936bc9da16ee525a49a44e315.jpg"
	}
}