New Ransomware: Pay Up Or Files Go Public

John Lister's picture

A new form of ransomware named after a Marvel super villain has some particularly evil features. The Thanos malware uses an approach more reminiscent of "physical world" blackmail.

Despite the name, the malware thankfully doesn't imitate the character Thanos by - spoiler alert - deleting half the files in the entire universe.

That said, it's still quite scary thanks to a couple of features beyond the usual tactic of encrypting files and demanding a ransom. Instead, the ransomware also seeks to spread across an entire local network and encrypt all the computers it can reach.

This is especially bad news for any business or organization that is currently relying on remote desktop connections in order to access data at an office due to the COVID-19 pandemic, for example. Such machines are incredibly at risk of ransomware sneaking onto the network, particularly if the remote desktop protocol becomes exploitable. In this case, ransomware can sneak onto a network despite security updates, firewall, or antivirus installed.

Personal Data Shared Online

That said, the Thanos ransomware has a tactic aimed at individuals. Before encrypting files, Thanos copies anything in a common document format such as Microsoft Word and Excel files and Adobe PDF documents and holds on to these copies remotely.

The victim then gets a ransom demand with the threat that not only will their own copies of the files remain locked, but the stolen copies will be published online unless they pay a ransom. The demand says the files will appear on sites dedicated to data leaks, meaning there's a strong likelihood that professional scammers will try to exploit any personal data in the documents.

Security Software Fooled

To make things worse, Thanos uses a new technique called RIPlace that aims to disguise the manipulation of files to avoid detection by security software that specifically looks for ransomware.

That's a big worry as when RIPlace first became public knowledge, several security software firms said they didn't need to update their tools as it was a purely theoretical threat. (Source:

That is no longer the case, however, as it appears Thanos has a good chance of spreading. Digital criminals have been offered a hefty revenue share of any ransom payments in return for helping get it on to more machines.

They also get access to a tool that can customize Thanos to as many as 43 different versions, making it much harder to detect. (Source:

What's Your Opinion?

Would you pay a ransom to stop files on your computer being published? Would their content cause you problems if scammers could access them? Are you confident your chosen security tools do enough to combat ransomware?

Rate this article: 
Average: 4.8 (9 votes)


daniel k_8060's picture

This is a worry. How can it be defended? These people should be " hung out to dry" for a Long time.
Interested in any new ways to defeat this.
Thanks for the Article

Dennis Faas's picture

Most of the new variants of ransomware these days cannot be reversed or defeated. The only 100% solution is to backup your data, verify the backup, test the restore process, and keep the backups offline / not attached to the system. If anyone needs a comprehensive backup solution I can assist - shoot me an email here.

ronangel1's picture

The answer here might be quite simple,save,place,all documents types affected in one main folder (documents)and sub folders under this one.Encript folder with master password that has to be manualy entered everytime any document is opened,copied or changed.Apart from password protecting each one separatly.
They may still get you but wont be able to distribute the information and you just use existing backup plan for this sort of attack.

mareket_13675's picture

I use a backup program to copy & store important personal files on several hard drives & any files that contain sensitive private information e.g. bank account details are encrypted using an encryption program. I also keep a copy of these files on an external hard drive that only gets connected to my computer for backup purposes. As well I keep multiple images of my operating system drive on several hard drives including an external drive.

If my files were stolen or encrypted and I received a ransom demand or if my operating system drive was compromised I could be up and running again by restoring an image of my operating system drive & restoring my personal files from one of my backups.