Thanatos ransomware (Removal Instructions) - Jun 2018 update
Thanatos virus Removal Guide
What is Thanatos ransomware?
Thanatos – a decryptable ransomware virus which is actively spreading around
Thanatos ransomware demands 0.01 BTC for the encrypted files release
Thanatos is a ransomware virus that belongs to the crypto family. It is written in Thanatos.pdb programming language and mostly spreads via malicious spam email attachments. As soon as the infiltration succeeds, ransomware activates the payload and encrypts all files using AES algorithm[1] to make files on the affected computer unavailable. To distinguish locked files, the virus appends .THANATOS file extension to the targeted files and drops “the README.txt” where victims are demanded to contact hackers via c-m58@mail.ru email and pay 0.01 BTC for a decryption key.
Name | Thanatos |
Type | Ransomware |
File extension | .THANATOS |
Ransom note | README.txt |
Contact email | c-m58@mail.ru |
Amount of ransom | 0.01 BTC |
Distribution | Spam, illegal software, fake popups |
Decryption | Download free Thanatos decryption tool from GitHub |
Elimination | Download and install FortectIntego or SpyHunter 5Combo Cleaner |
Thanatos first showed up in February 2018 and soon came back with an updated version later that month. According to researchers, ransomware authors did not have the decryptor themselves, thus, paying the ransom was out of the question. In late June 2018, security experts from Cisco managed to crack the malicious code and create a free ThanatosDecryptor. Researchers managed to find a vulnerability in the encryption procedure used by the virus.
The trick lied in how the virus determines the key for each of the encrypted files. It is based on the time (in milliseconds) since Windows was last launched. Using Windows Event Logs, security experts managed to reverse-engineer the key. Cisco researchers explained the following:[2]
Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.
Security experts released Thanatos decryptor which can be downloaded for free
What makes Thanatos exclusive from the rest of ransomware viruses is the types of cryptocurrency that it accepts. The victim is allowed to transfer the ransom in Ethereum, BitCoin, and BitCoin Cash. Thus, it's the first crypto-ransomware that register payments via BitCoin Cash (BCH) wallet.
Right after the Thanatos ransomware attack, the victim will no longer be able to open documents, images, multimedia, databases, and other files stored on the machine. However, he or she should see “the README.txt” file, which stands for a ransom note in each folder containing locked files. The file provides the contact information (c-m58@mail.ru or thanatos1.1@yandex.com) and crypto-currency wallet addresses:
Thanatos v1.1
Your files was encrypted. To decrypt your files,
follow next steps:1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f2. Send your TXID and your MachineID to mail
E-Mail: thanatos1.1@yandex.com
Machine ID: {ID HERE}—————————————————
Do not waste your time, files can only be
decrypted by our decode tool.
It seems that developers of the Thanatos ransomware improved it soon after the original version started attacking victims because initially crooks provided c-m58@mail.ru as a contact email and accepted the 0.01 BTC ransom. However, the version of the virus did not change. Experts detect the same v1.1 circulating, but beware that it may provide diverse information.
The ransom note tells that after the payment is transferred, the users should receive a decryptor by email. The truth is that there's no Thanatos decryptor at all – neither paid nor free. According to ransomware analysts, this ransomware encrypts files but does not generate a decryption key. It's not clear yet whether the decision to encrypt people's data permanently has been made intentionally or accidentally. However, it's clear that you will not be able to decrypt files encrypted by Thanatos ransomware even though you pay the ransom.
Thus, you should focus on Thanatos removal instead of risking to increase your damage. Unfortunately, deletion of the virus won’t restore your files, but you will be able to use your PC safely again. If you have backups, simply plug in an external storage device after virus removal and recover files easily.
Those who do not have backups should use alternative data recovery methods that are provided at the end of this post. However, we cannot guarantee that they work. Cybersecurity researchers claim that the most effective, though time-consuming, the method to unlock files compromised by ransomware is to use brute force algorithm. For this purpose, you should contact professional IT experts.
To remove Thanatos from the computer safely, you have to obtain a reputable malware removal tool, such as FortectIntego or Malwarebytes. If you cannot install security software, please follow the guide given below. Keep in mind that manual removal is not recommended due to the complexity of ransomware.
Thanatos belongs to the most difficult types of cyber threats. Hence, after the attack, it may have installed numerous harmful files, injected malicious code into legit system processes, and caused other changes to the system that cannot be safely fixed manually.
Thanatos ransomware blackmails into paying the ransom after making victim's files inaccessible.
Authors of file-encrypting viruses use multiple distribution methods to infect computers
Typically, ransomware viruses spread via malicious spam emails. Thus, malware can sneak into the system when a user is tricked into opening Word, PDF or ZIP file that includes a malicious payload. However, security specialists from DieViren.de[3] also report about other threats.
Ransomware can also be distributed as:
- fake software update which appears as a pop-up when browsing the web;
- illegal or obfuscated program in file-sharing sites or networks;
- malicious ads.[4]
Therefore, you should be careful with content you click or download online. Additionally, to avoid ransomware helps installation of recent updates and robust security software.
Termination of the Thanatos ransomware virus
We have mentioned at the beginning that you should not try to remove Thanatos manually. We want to stress out that only experienced IT specialists can clean your PC without damaging it. Therefore, instead of locating files or registry entries created by ransomware, you should opt out for the automatic elimination method.
Automatic Thanatos removal can be performed with any professional malware removal program. However, we highly recommend using FortectIntego or Malwarebytes. If crypto-virus is resistant and prevents from accessing security software, follow the steps below.
Getting rid of Thanatos virus. Follow these steps
Manual removal using Safe Mode
First of all, you should disable the virus to remove it automatically without any obstacles.
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove Thanatos using System Restore
If the previous method did not help to remove Thanatos ransomware, follow these steps:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Thanatos. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove Thanatos from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by Thanatos, you can use several methods to restore them:
Data Recovery Pro – alternative tool to restore damaged files
Nevertheless, it's not an official decryptor; it might still help to restore some of the files.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Thanatos ransomware;
- Restore them.
Take advantage of Windows Previous Versions feature
If System Restore was enabled before Thanatos ransomware attack, you can follow the steps below and get back access to the most important files:
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Use ShadoExplorer
If the ransomware did not delete Shadow Volume Copies, you could use ShadowExplorer to restore encrypted files.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Use a free Thanatos decryptor tool
Security experts from Cisco created a free ThanatosDecryptor. Download it and recover your files.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Thanatos and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ Advanced Encryption Standard. Wikipedia. The free encyclopedia.
- ^ Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor. Talos. Security researchers.
- ^ DieViren. DieViren. German cyber security news.
- ^ Dan Goodin. Here’s why the epidemic of malicious ads grew so much worse last year. Ars Technica. IT news, reviews, and analysis.