Free decryption tool released for Thanatos ransomware

The Thanatos ransomware first appeared in the threat landscape in February when it was discovered by researchers at the MalwareHunterTeam. This ransomware started as moneymaking operation and evolved into a campaign of pure destruction - but now victims can retrieve their files, for free.

Thanatos ransomware is a malware which encrypts files it appends the.THANATOS extension to them. Once the encryption is completed, the malware connects to a specific URL to report the infection. It locks data with AES cryptography to demand a ransom. Even though users whose computers are infected with this malicious program are unable to get back the access to the encrypted information without paying the ransom, now experts have released a free decryption software.

Thanatos is distinct from many other forms of ransomware in that it doesn't demand a payment in bitcoin, but is known instead to request ransoms paid in other cryptocurrencies including Bitcoin Cash, Zcash and Ethereum.

The experts from Cisco Talos believe the malware is being actively developed, it was being distributed as attachments to chat messages sent via Discord as multiple versions of it have been released in the months since February. The initial Thanatos 1 version demanded its victims to pay the ransom in Bitcoins. However, Thanatos version 1.1 of this malicious program accept other cryptocurrencies for the transactions as well:

“Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.”

The experts observed several variants of the malware, the first ones were using the same Bitcoin address for all the victims and the payment processing was manual after the victims were instructed to send an email to the crooks.