In early 2020, a new ransomware family dubbed “Thanos” was discovered on sale in underground forums mostly frequented by cybercriminals. At the time, Thanos was advertised as a “Ransomware Affiliate Program,” available for anyone to buy. The malware saw regular updates and new features added over time. A closer look at its code revealed that it was also used at the baseline in ransomware samples that were tracked as “Hakbit” and used in additional attacks that targeted organizations in Austria, Switzerland and Germany.

Thanos’ developer equipped it with a bootlocker in mid-2020 and was also using a somewhat novel technique of encrypting files known as “RIPlace,” in which they weaponized research into ransomware evasion techniques based on file characteristics.

In September 2020, Thanos was detected in attacks on government organizations in MEA. It presented the victims with a black screen that demanded money to unlock files, and while it had a supposed capability to run a destructive attack, that function did not work and left MBR intact.

By June 2021, more of Thanos made headlines, only this time as the base code for another ransomware, Prometheus. The latter was used in double-extortion attacks that encrypted files but also stole data and threatened to release it unless a hefty ransom was paid. Prometheus’ operators claimed to be part of the REvil group, they even placed a logo of sorts on their demands for ransom but provided no proof to that effect and may have wanted to use that as a pressure tactic.