Back in February we wrote about a new ransomware called Thanatos that was encrypting victim's data, but contained flaws that would not allow the authors to decrypt a victims files even if they paid. Thankfully, the Cisco Talos Group was able to find a method to break the encryption routine in order to create a decryptor that allows victims to recover their files for free.
While Thanatos never had a wide distribution, there were some victims of this ransomware as indicated by submissions to ID Ransomware and from Cisco's analysis. According to Cisco there were multiple campaigns, with version 1.1 being distributed most widely.
This version used a more advanced ransom note and visibly showed the name and version of the ransomware as displayed below. Victim's of this ransomware would also have their files encrypted and the names of the file's would have the .THANATOS extension appended to them. For example, test.jpg would be encrypted and named as test.jpg.THANATOS.
Cisco has also stated that other versions were released that did not contain any contact information and appeared to be designed to simply destroy the victim's data.
"In investigating the distribution mechanisms being used by the attacker to infect victims and remove their ability to access data on their system, we identified an interesting campaign that indicated that at least in this particular case, the attacker had no intention of providing any sort of data decryption to the victim," Cisco's report stated. "The malware appears to have been delivered to the victim as an attachment to a chat message sent to the victim using the Discord chat platform."
As Thanatos was released at one time as an open-source project, it is possible that other developers were creating their own versions using same ransomware code base.
Decrypting files encrypted by the Thanatos Ransomware
To decrypt files encrypted by the Thanatos Ransomware, you should download the Thanatos Decryptor and save it to your desktop. You also need to make sure you have the Microsoft Visual C++ Redistributable for Visual Studio 2017 installed or you will receive errors about missing DLLs when you try to run the decryptor.
Once you have everything you need, simply double-click on the executable and the decryptor will begin to search for files to decrypt. At this time, the decryptor will only decrypt the following file types:
- Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
- Video: .mpg, .mpeg, .mp4, .avi
- Audio: .wav
- Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
- Other: .zip, .7z, .vmdk, .psd, .lnk
Cisco also recommends that the decryptor be run on the same machine that the files were encrypted. The decryption process can take quite a while, so please be patient while it decrypts your files.
For those who are interested in learning how decryptors work, Cisco has open sourced their tool, which be found at the project's Github page.
Comments
Amigo-A - 3 years ago
A huge number of users do not have this package Visual Studio 2017 installed because of a careless Microsoft for users policy. Because of this, the number of victims with this package is even more miserable. Because hardly this decoder will help someone.
the_moss_666 - 3 years ago
Luckily, Thanatos's key creation schedule is just as bad as its decryption service. Seed for AES key is so short it basically IS the key.
melissa_virus - 3 years ago
the only thing i know about thanatos (Θάνατος) is that it is a greek word means Death. In ancient Greece Thanatos supposed to be twin brother with the Sleep (Ύπνος).
i hope that decryptor to help everyone with Thanatos problem. Congratulations to the team who worked on it .