Security researchers at Cisco Talos have discovered a weakness in the Thanatos ransomware code that makes it possible for victims to unlock their Thanatos encrypted files for free without paying any ransom in cryptocurrencies.
Like all ransomware threats, Thanatos encrypts files and asks victims to pay for ransom in multiple cryptocurrencies, including Bitcoin Cash, to decrypt their files.
"Multiple versions of Thanatos have been leveraged by attackers, indicating that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild," the researchers say.
"Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others."Once infected, all the encrypted filename extensions on the affected computer are changed to .THANATOS, and then a ransom note pops up whenever the user tries to log on to the system, instructing them to send the ransom money to a hardcoded cryptocurrency wallet address in order to decrypt the files.
However, since Thanatos uses different encryption keys to encrypt each file on an infected system without storing them anywhere, it is impossible for malware authors to return users' data, even if the victims pay the ransom.
Free Thanatos Ransomware Decryption Tool
Cisco researchers analyzed the malware code and found a loophole in the design of the file encryption methodology used by Thanatos, using which they developed a free ransomware decryption tool that will help victims decrypt their files.
Dubbed ThanatosDecryptor, the open source, free ransomware decryption tool can be downloaded from the GitHub website, which has recently been acquired by Microsoft for $7.5 billion, and works for Thanatos ransomware versions 1 and 1.1
Since the encryption keys used by Thanatos are derived based upon the number of milliseconds since the system last booted, it was possible for researchers to reverse engineer the logic and re-generate the same 32-bit encryption key using brute force attack and Windows Event Logs.
"Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection," researchers explain.
"At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions."For more detail about the Thanatos ransomware, you can head on to detailed blog post published by Cisco Talos today.
How to Protect Yourself From Ransomware Attacks
Most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs. Whether it's Locky, CoinVault, Thanatos, TeslaCrypt, or any other ransomware malware, the protection measures are standard.
To safeguard against such ransomware attacks, you should always be suspicious of uninvited documents sent in an email and never click on links inside those documents unless verifying their sources.
Check if macros are disabled in your MS Office apps. If not, block macros from running in MS Office files from the Internet.
In order to always have a tight grip on all your important documents, keep a good backup routine in place that makes copies of your files to an external storage device which is not always connected to your PC.
Moreover, make sure that you run an active behavioral-based antivirus security suite on your system that can detect and block such malware before it can infect your device, and always remember to keep them up-to-date.