Back in February we wrote about a new ransomware called Thanatos that was encrypting victim's data, but contained flaws that would not allow the authors to decrypt a victims files even if they paid. Thankfully, the Cisco Talos Group was able to find a method to break the encryption routine in order to create a decryptor that allows victims to recover their files for free.

While Thanatos never had a wide distribution, there were some victims of this ransomware as indicated by submissions to ID Ransomware and from Cisco's analysis. According to Cisco there were multiple campaigns, with version 1.1 being distributed most widely. 

This version used a more advanced ransom note and visibly showed the name and version of the ransomware as displayed below. Victim's of this ransomware would also have their files encrypted and the names of the file's would have the .THANATOS extension appended to them. For example, test.jpg would be encrypted and named as test.jpg.THANATOS.

Thanatos Ransom Note
Thanatos Ransom Note

Cisco has also stated that other versions were released that did not contain any contact information and appeared to be designed to simply destroy the victim's data.

"In investigating the distribution mechanisms being used by the attacker to infect victims and remove their ability to access data on their system, we identified an interesting campaign that indicated that at least in this particular case, the attacker had no intention of providing any sort of data decryption to the victim," Cisco's report stated. "The malware appears to have been delivered to the victim as an attachment to a chat message sent to the victim using the Discord chat platform."

As Thanatos was released at one time as an open-source project, it is possible that other developers were creating their own versions using same ransomware code base.

Decrypting files encrypted by the Thanatos Ransomware

To decrypt files encrypted by the Thanatos Ransomware, you should download the Thanatos Decryptor and save it to your desktop. You also need to make sure you have the Microsoft Visual C++ Redistributable for Visual Studio 2017 installed or you will receive errors about missing DLLs when you try to run the decryptor.

Thanatos Decryptor
Thanatos Decryptor

Once you have everything you need, simply double-click on the executable and the decryptor will begin to search for files to decrypt. At this time, the decryptor will only decrypt the following file types:

  • Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
  • Video: .mpg, .mpeg, .mp4, .avi
  • Audio: .wav
  • Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
  • Other: .zip, .7z, .vmdk, .psd, .lnk

Cisco also recommends that the decryptor be run on the same machine that the files were encrypted. The decryption process can take quite a while, so please be patient while it decrypts your files.

For those who are interested in learning how decryptors work, Cisco has open sourced their tool, which be found at the project's Github page.

Related Articles:

Free Decrypter Available for the Latest GandCrab Ransomware Versions

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More