Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Mar 2019

How to remove Thanatos ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

Thanatos – a decryptable ransomware virus which is actively spreading around

Ransom note by Thanatos ransomware

Thanatos is a ransomware virus that belongs to the crypto family. It is written in Thanatos.pdb programming language and mostly spreads via malicious spam email attachments. As soon as the infiltration succeeds, ransomware activates the payload and encrypts all files using AES algorithm[1] to make files on the affected computer unavailable. To distinguish locked files, the virus appends .THANATOS file extension to the targeted files and drops “the README.txt” where victims are demanded to contact hackers via c-m58@mail.ru email and pay 0.01 BTC for a decryption key.

Name Thanatos
Type  Ransomware
File extension .THANATOS
Ransom note README.txt
Contact email c-m58@mail.ru
Amount of ransom 0.01 BTC
Distribution Spam, illegal software, fake popups
Decryption Download free Thanatos decryption tool from GitHub
Elimination Download and install FortectIntego or SpyHunterCombo Cleaner

Thanatos first showed up in February 2018 and soon came back with an updated version later that month. According to researchers, ransomware authors did not have the decryptor themselves, thus, paying the ransom was out of the question. In late June 2018, security experts from Cisco managed to crack the malicious code and create a free ThanatosDecryptor. Researchers managed to find a vulnerability in the encryption procedure used by the virus.

The trick lied in how the virus determines the key for each of the encrypted files. It is based on the time (in milliseconds) since Windows was last launched. Using Windows Event Logs, security experts managed to reverse-engineer the key. Cisco researchers explained the following:[2] 

Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.

Thanatos malware

What makes Thanatos exclusive from the rest of ransomware viruses is the types of cryptocurrency that it accepts. The victim is allowed to transfer the ransom in Ethereum, BitCoin, and BitCoin Cash. Thus, it's the first crypto-ransomware that register payments via BitCoin Cash (BCH) wallet. 

Right after the Thanatos ransomware attack, the victim will no longer be able to open documents, images, multimedia, databases, and other files stored on the machine. However, he or she should see “the README.txt” file, which stands for a ransom note in each folder containing locked files. The file provides the contact information (c-m58@mail.ru or thanatos1.1@yandex.com) and crypto-currency wallet addresses: 

Thanatos v1.1

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

2. Send your TXID and your MachineID to mail
E-Mail: thanatos1.1@yandex.com
Machine ID: {ID HERE}

—————————————————
Do not waste your time, files can only be
decrypted by our decode tool.

It seems that developers of the Thanatos ransomware improved it soon after the original version started attacking victims because initially crooks provided c-m58@mail.ru as a contact email and accepted the 0.01 BTC ransom. However, the version of the virus did not change. Experts detect the same v1.1 circulating, but beware that it may provide diverse information. 

The ransom note tells that after the payment is transferred, the users should receive a decryptor by email. The truth is that there's no Thanatos decryptor at all – neither paid nor free. According to ransomware analysts, this ransomware encrypts files but does not generate a decryption key. It's not clear yet whether the decision to encrypt people's data permanently has been made intentionally or accidentally. However, it's clear that you will not be able to decrypt files encrypted by Thanatos ransomware even though you pay the ransom. 

Thus, you should focus on Thanatos removal instead of risking to increase your damage. Unfortunately, deletion of the virus won’t restore your files, but you will be able to use your PC safely again. If you have backups, simply plug in an external storage device after virus removal and recover files easily. 

Those who do not have backups should use alternative data recovery methods that are provided at the end of this post. However, we cannot guarantee that they work. Cybersecurity researchers claim that the most effective, though time-consuming, the method to unlock files compromised by ransomware is to use brute force algorithm. For this purpose, you should contact professional IT experts. 

To remove Thanatos from the computer safely, you have to obtain a reputable malware removal tool, such as FortectIntego or MalwarebytesMalwarebytes. If you cannot install security software, please follow the guide given below. Keep in mind that manual removal is not recommended due to the complexity of ransomware.

Thanatos belongs to the most difficult types of cyber threats. Hence, after the attack, it may have installed numerous harmful files, injected malicious code into legit system processes, and caused other changes to the system that cannot be safely fixed manually.

Image of Thanatos ransomware

Authors of file-encrypting viruses use multiple distribution methods to infect computers

Typically, ransomware viruses spread via malicious spam emails. Thus, malware can sneak into the system when a user is tricked into opening Word, PDF or ZIP file that includes a malicious payload. However, security specialists from DieViren.de[3] also report about other threats.

Ransomware can also be distributed as:

  • fake software update which appears as a pop-up when browsing the web;
  • illegal or obfuscated program in file-sharing sites or networks;
  • malicious ads.[4]

Therefore, you should be careful with content you click or download online. Additionally, to avoid ransomware helps installation of recent updates and robust security software.

Termination of the Thanatos ransomware virus

We have mentioned at the beginning that you should not try to remove Thanatos manually. We want to stress out that only experienced IT specialists can clean your PC without damaging it. Therefore, instead of locating files or registry entries created by ransomware, you should opt out for the automatic elimination method.

Automatic Thanatos removal can be performed with any professional malware removal program. However, we highly recommend using FortectIntego or MalwarebytesMalwarebytes. If crypto-virus is resistant and prevents from accessing security software, follow the steps below.

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.