Thanatos Ransomware: Cisco researchers release free ThanatosDecryptor to save encrypted files

• The Thanatos ransomware wreaked havoc by destroying encrypted files, even if the victim paid the ransom
• Thanatos ransomware victims can now decrypt their files for free using the new tool

When Thanatos ransomware was first discovered in February, the destructive malware strain created chaos by infecting hundreds of computers and deleting files even after victims paid the ransom. Thanatos’ popularity and success for cybercriminals also paved the way for the release of multiple, upgraded versions in the following months.

In order to combat the ransomware and loss of data, researchers at Cisco Talos have built a free decryptor named ThanatosDecryptor. The decryptor is now available for download to helps victims retrieve their encrypted files and data. Cisco researchers have advised users to run the decryptor on the same machine where the files were encrypted.

Modus Operandi

The decryptor runs a search function on the system to determine files that have ‘.THANATOS’ file extension. It then obtains the original file extension and compares it to the list of supported file types. If the file extension is supported, ThanatosDecryptor decrypts the file. If the file extension is not supported, the seed value for the encryption key is incremented and the process is repeated.

ThanatosDecryptor has a unique way of determining the starting value of the decryption. The decryptor parses the Windows Event Log to gain access to uptime messages. From there, it determines the encrypted file creation time metadata in order to assign a starting value for decryption. This value is then used to derive an encryption key. Resulting bytes are obtained by running an AES decryption operation against the file contents and comparing against valid file headers.

If you are interested in learning more about how the decryptor works, Cisco has open sourced their tool at the project's Github page.