Connect with us

Hi, what are you looking for?



Free Thanatos Ransomware Decryptor Released

Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.

Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.

Analysis of the threat has revealed a large number of Thanatos iterations being used by attackers, which led Talos to the conclusion that the malware is being actively developed. Unlike other ransomware families, which use Bitcoin, Thanatos asks victims to pay the ransom in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Cisco’s Talos researchers also discovered a series of issues with the malware’s encryption process, which prevents the attacker from successfully returning the data to the victim, even if the ransom was paid. “In some cases, this is intentional on the part of the distributor,” Talos reports.

Differences between the various versions of the malware are mainly observed in the ransom note, which was initially primitive, saved on the desktop as README.txt. It would only inform the victim that their files had been encrypted and demanded a payment be made to a specific Bitcoin address, the same for all victims. Apparently, payment processing was made manually and was email-based.

The next version already added support for more crypto-currencies the victims could pay the ransom with. In addition to offering support for BTC, ETH, and BCH, that malware variant also included a unique MachineID in the ransom note, and instructed victims to send it to the attacker (via email).

The investigation into the various Thanatos ransomware iterations also revealed that, at least in one particular case, the attacker “had no intention of providing any sort of data decryption to the victim,” the security researchers say. The malware was being distributed as attachments to chat messages sent via Discord.

The ransom note delivered to victims as part of that attack would inform them that decryption was not available, which clearly suggested the actor was not financially motivated, but rather interested in destroying data on the victim’s system.

Advertisement. Scroll to continue reading.

Once executed on the victim system, the malware copies itself into a subdirectory within %APPDATA%/Roaming. It also scans the following directories to identify files to encrypt: Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos.

The ransomware can encrypt all files in the target directories, and the security researchers observed it discarding the encryption key after encrypting users’ files (which now have the .THANATOS extension). Because of that, the attackers can’t provide access to the decrypted data, even if a ransom demand is paid.

The encryption keys used to encrypt files on victims’ systems are derived from the number of milliseconds since the system last booted. Because these keys are 32 bits and can store up to 49.7 days’ worth of milliseconds, which is much higher than the average amount of uptime on many systems, “this makes brute-forcing the key values significantly cheaper from a time perspective,” Talos says.

Furthermore, because the system uptime is written to the Windows Event Log roughly once per day, “the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection,” the researchers note. Thus, successfully recovering the encryption key would take roughly 14 minutes.

Talos’ newly released decryption utility works with versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples the security firm has observed. Victims are advised to execute the decryptor “on the original machine that was infected and against the original encrypted files that the malware created.”

At the moment, the utility can only decrypt .gif, .tif, .tiff, .jpg, .jpeg, .png, .mpg, .mpeg, .mp4, .avi, .wav, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf,.zip, .7z, .vmdk, .psd, and .lnk file types. To decrypt files, users need to download ThanatosDecryptor and execute the .exe file in the release directory.

Related: Thanatos Ransomware Makes Data Recovery Impossible

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...