Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.
Analysis of the threat has revealed a large number of Thanatos iterations being used by attackers, which led Talos to the conclusion that the malware is being actively developed. Unlike other ransomware families, which use Bitcoin, Thanatos asks victims to pay the ransom in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.
Cisco’s Talos researchers also discovered a series of issues with the malware’s encryption process, which prevents the attacker from successfully returning the data to the victim, even if the ransom was paid. “In some cases, this is intentional on the part of the distributor,” Talos reports.
Differences between the various versions of the malware are mainly observed in the ransom note, which was initially primitive, saved on the desktop as README.txt. It would only inform the victim that their files had been encrypted and demanded a payment be made to a specific Bitcoin address, the same for all victims. Apparently, payment processing was made manually and was email-based.
The next version already added support for more crypto-currencies the victims could pay the ransom with. In addition to offering support for BTC, ETH, and BCH, that malware variant also included a unique MachineID in the ransom note, and instructed victims to send it to the attacker (via email).
The investigation into the various Thanatos ransomware iterations also revealed that, at least in one particular case, the attacker “had no intention of providing any sort of data decryption to the victim,” the security researchers say. The malware was being distributed as attachments to chat messages sent via Discord.
The ransom note delivered to victims as part of that attack would inform them that decryption was not available, which clearly suggested the actor was not financially motivated, but rather interested in destroying data on the victim’s system.
Once executed on the victim system, the malware copies itself into a subdirectory within %APPDATA%/Roaming. It also scans the following directories to identify files to encrypt: Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos.
The ransomware can encrypt all files in the target directories, and the security researchers observed it discarding the encryption key after encrypting users’ files (which now have the .THANATOS extension). Because of that, the attackers can’t provide access to the decrypted data, even if a ransom demand is paid.
The encryption keys used to encrypt files on victims’ systems are derived from the number of milliseconds since the system last booted. Because these keys are 32 bits and can store up to 49.7 days’ worth of milliseconds, which is much higher than the average amount of uptime on many systems, “this makes brute-forcing the key values significantly cheaper from a time perspective,” Talos says.
Furthermore, because the system uptime is written to the Windows Event Log roughly once per day, “the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection,” the researchers note. Thus, successfully recovering the encryption key would take roughly 14 minutes.
Talos’ newly released decryption utility works with versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples the security firm has observed. Victims are advised to execute the decryptor “on the original machine that was infected and against the original encrypted files that the malware created.”
At the moment, the utility can only decrypt .gif, .tif, .tiff, .jpg, .jpeg, .png, .mpg, .mpeg, .mp4, .avi, .wav, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf,.zip, .7z, .vmdk, .psd, and .lnk file types. To decrypt files, users need to download ThanatosDecryptor and execute the .exe file in the release directory.
