27 Jun 2018

The computers which are affected with a ransomware called Thanatos which does not unlock files even if the ransom is paid, can now be retrieved with a new free file decryptor released by security researchers.

The researchers at Cisco Talos have discovered a weakness in the Thanatos ransomware code that permits the affected ones to unlock their Thanatos encrypted files for free without paying any ransom in cryptocurrencies.

As in the case of all ransomwares, Thanatos encrypts files and asks victims to pay for ransom in multiple cryptocurrencies, including Bitcoin Cash, to decrypt their files.

The researchers report that multiple versions of Thanatos have been attached by attackers which indicates that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild. Unlike other ransomware, Thanatos does not demand ransom payments to be made using bitcoin. Instead, it claimed ransom payments in the form of other cryptocurrencies like Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

When the system gets infected all the encrypted filename extensions on it are changed to .THANATOS. Whenever the victims tries to log on to the system a ransom note pops up demanding them to send the ransom money to a hardcoded cryptocurrency wallet address to decrypt the files.

The Thanatos uses different encryption keys to encrypt each file on an infected system without storing them anywhere, so it is impossible to return users’ data, even if the victims pay the ransom.

Free Thanatos Ransomware Decryption Tool

Cisco researchers inspected the malware code and found a loophole in the design of the file encryption methodology used by Thanatos and they developed a free ransomware decryption tool which enables the victims to decrypt their files.

The free, open source ransomware decryption tool dubbed as ThanatosDecryptor, can be downloaded from the GitHub website, which works for Thanatos ransomware versions 1 and 1.1

Since the encryption keys used by Thanatos are derived based upon the number of milliseconds since the system last booted, it was possible for researchers to reverse engineer the logic and re-generate the same 32-bit encryption key using brute force attack and Windows Event Logs.

The researches explain that Thanatos does not modify the file creation dates on encrypted files, and so the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection.  At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.

Decrypting files encrypted by the Thanatos

To decrypt files encrypted by the Thanatos Ransomware, first download the Thanatos Decryptor and save it to your desktop. Make sure that you have Microsoft Visual C++ Redistributable for Visual Studio 2017 installed or you will receive errors about missing DLLs when you try to run the decryptor.

Now double-click on the executable and the decryptor will begin to search for files to decrypt. At this time, the decryptor will only decrypt the following file types:

Image: .gif, .tif, .tiff, .jpg, .jpeg, .png

Video: .mpg, .mpeg, .mp4, .avi

Audio: .wav

Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf

Other: .zip, .7z, .vmdk, .psd, .lnk

Cisco recommends that the decryptor must be run on the same computer in which the files were encrypted.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.