A strain of ransomware designed to disrupt computers’ booting processes hit government-run organizations in the Middle East and North Africa in July, researchers said Friday, in the latest example of data-wiping tools being aimed at key organizations in the region.
The ransomware attacks used Thanos, a type of malware that surfaced earlier this year and has gained traction on underground forums, according to analysts at Palo Alto Networks. In an increasingly popular tactic among ransomware gangs, Thanos is sold “as a service” to other hackers interested in deploying it. That can make the attacks harder to trace, and allow users to develop their own custom features.
The motives behind the attacks are mysterious. A hacker interested in getting paid typically doesn’t disrupt a machine to make it harder for a victim to hand over the ransom. Yet that’s exactly what the perpetrators of the July attacks attempted to do: Their version of Thanos had a “destructive” component designed to overwrite the computers’ master boot record (MBR), which tells a machine how to start up, according to Palo Alto Networks.
Whether the hackers really wanted the “20,000$” they asked for in a note left on the machines is unclear. The MBR overwrite didn’t end up working because of a coding error. It’s unclear if the victims paid the ransom.
“The addition of overwriting the MBR is not something we have noted in other Thanos attacks, meaning these may be destructive attacks designed to look like ransomware attacks,” said Allan Liska, a ransomware specialist at Recorded Future, an intelligence firm that has reported on Thanos.
The researchers at Palo Alto Networks’ Unit 42 intelligence division did not identify the victims or speculate on who was behind the attacks. But they did say that the same perpetrator likely used a similar variant of Thanos to attack another state-run organization in “the same municipality” in the Middle East in July.
Whoever is behind the hacking is taking advantage of a vibrant ransomware-as-a-service centered on customer service.
“One of the advantages that Thanos offers is ease-of-use,” Liska told CyberScoop. “Its clean control panel and adaptability to any kind of attack has made it very popular in underground forums.”
The Middle East has for years been the scene of data-wiping cyberattacks. In December, IBM analysts uncovered previously unknown malware they said had been developed by Iranian hackers. The code was used in a data-wiping attack against unnamed energy and industrial organizations the Middle East.
Using destructive code in ransomware attacks can blur the lines over who is responsible and what their motive is.
For example, Norwegian authorities still haven’t named a culprit for the 2019 ransomware attack that inflicted tens of millions of dollars of damage on aluminum giant Norsk Hydro. Regardless of who was behind that attack, it provided a “blueprint” for state-backed hackers to hide behind malware associated with criminals to achieve their goals, Joe Slowik, adversary hunter at industrial security firm Dragos, told CyberScoop in March.