Thanos ransomware is a relatively new strain of malware, seen as of late 2019. it Is part of the RaaS (ransomware as a service) trend in which ransomware code and builders are sold on underground forums.

Multiple targets in the Middle East have recently been attacked by Thanos ransomware, as reported by Palo Alto’s Unit 42.


The initial infection uses a powershell script in order to execute the malware and spread it across the network. The lateral movement is achieved using the wmic command, a common Living Off the Land tactic used by threat actors.


The ransomware execution is accomplished using APC injection for malicious code loading.


Minerva Labs product blocks both capabilities with its Living Off the Land protection and Memory Injection protection.


The malicious powershell script is blocked, and an event is generated: