Thanatos ransomware: Free decryption tool released for destructive file-locking malware

This ransomware started as moneymaking operation and evolved into a campaign of pure destruction - but now victims can retrieve their files, for free.
Written by Danny Palmer, Senior Writer

Victims of a destructive form of ransomware, which fails to unlock files even if the ransom is paid, can now retrieve their files for free with a new file decryptor released by security researchers.

Thanatos ransomware first started targeting Windows systems in February and multiple versions of it have been released in the months since, indicating that those behind it remain an active threat.

Thanatos is distinct from many other forms of ransomware in that it doesn't demand a payment in bitcoin, but is known instead to request ransoms paid in other cryptocurrencies including Bitcoin Cash, Zcash and Ethereum.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, even if the victim does give into the ransom demand, issues within the encryption process of Thanatos means that the data isn't returned to the victim. Some campaigns reveal that this is intentional on the part of the attackers, who taunt victims about the lack of a decryption key.

In order to combat the destruction caused by files which can't be decrypted, researchers at Cisco Talos have built and released a free tool for decrypting the files -- ThanatosDecryptor.

The tool is available to download now and works on all current versions of the ransomware -- researchers recommend that it is run on the original infected machine in order decrypt files across a network as quickly as possible.

Like other forms of ransomware, Thanatos is delivered to victims in the form of an attachment, although it isn't restricted to email as attackers have been seen distributing the ransomware by Discord, a voice and text chat application which is widely used by gamers.

SEE ALSO: Ransomware: An executive guide to one of the biggest menaces on the web

"Chat platforms provide a direct communications path between an attacker and a potential victim and the nature of real-time chat also provides a means for an attacker to not only distribute their malware but also facilitates the additional social engineering that may be required to convince the victim to actually execute the malware to infect themselves," Edmund Brumaghin, threat researcher at Cisco Talos told ZDNet.

In the case of delivery by Discord, victims are tricked into downloading a file called 'fastleafdecay.exe' which poses as a mod for game Minecraft -- but is in fact the ransomware, which reveals itself via a basic ransom note, and a rude message telling the victim their files can't be decrypted.


A version of the Thanatos ransom note which doesn't even offer the prospect of decryption.

Image: Cisco Talos

Those behind Thanatos have built it from the ground up and may not have the capabilities to actually provide encryption keys to victims who pay -- but they nonetheless continue to distribute the ransomware.

It's possible that those behind the campaign turned to this form of attack because their initial ransomware campaign wasn't very successful -- analysis of the attackers's cryptocurrency wallets suggests that they've only received $720 for ransomware which has been active for six months.

With many more successful and advanced forms of ransomware available 'as-a-service' to wannabe extorters via underground forums, it could be that Thanatos is a case of an attacker looking to test and develop their skills.

"The attacker may have viewed creating and distributing this as an exercise to improve their skill and ability to create future malware," said Brumaghin.

Nonetheless, a year on from the NotPetya ransomware wiper causing chaos around the world, Thanatos demonstrates that attackers don't need to be sophisticated to cause damage with ransomware.

"It is important to take security seriously and take steps to secure your systems, whether they are used for personal or business purposes," said Brumaghin.

"Since many of these attacks take advantage of users, you also need to be careful when opening attachments from unknown sources or clicking on unknown links."


Editorial standards