Thanos Ransomware (.ltnuhr) - Videos

Major Detection Name : Ransom:MSIL/Thanos.PA!MTB (Microsoft), Ransom.MSIL.THANOS.SM (Trend Micro)

Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\<Random>.exe
- C:\Users\%UserName%\AppData\Local\Temp\RESTORE_FILES_INFO.txt
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk

Major Characteristics :
- Offline Encryption
- Prometheus Ransomware series
- EFI System Partition (B:\) + Recovery Partition (M:\) drives are activate.
- Disable and Blocks Task Manager (DisableTaskMgr)
- Disable Raccine ransomware protection ("taskkill" /F /IM RaccineSettings.exe, "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F, "reg" delete HKCU\Software\Raccine /F, "schtasks" /DELETE /TN "Raccine Rules Updater" /F)
- Allow Windows firewall rules ("netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes, "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes)
- Block processes execution (dbeng50.exe, msaccess.exe, mspub.exe, oracle.exe, sqlagent.exe, thebat.exe etc.)
- Stop multi services (avpsus, BMR Boot Service, DefWatch, McAfeeDLPAgentService, NetBackup BMR MTFTP Service, QBFCService etc.)
- Disable multi services ("sc.exe" config FDResPub start= auto, "sc.exe" config SQLTELEMETRY start= disabled, "sc.exe" config SQLWriter start= disabled, "sc.exe" config SSDPSRV start= auto, "sc.exe" config SstpSvc start= disabled, "sc.exe" config upnphost start= auto etc.)
- Disable system restore ("powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); })
- Empty the trash ("cmd.exe" /c rd /s /q %%SYSTEMDRIVE%%\\$Recycle.bin)
- Print the PDF ransomware message using the Print function.