Thanatos ransomware (Removal Instructions) - Jun 2018 update

by Olivia Morelli - - | Type: Ransomware

Thanatos virus Removal Guide

What is Thanatos ransomware?

Thanatos – a decryptable ransomware virus which is actively spreading around

Ransom note by Thanatos ransomwareThanatos ransomware demands 0.01 BTC for the encrypted files release

Thanatos is a ransomware virus that belongs to the crypto family. It is written in Thanatos.pdb programming language and mostly spreads via malicious spam email attachments. As soon as the infiltration succeeds, ransomware activates the payload and encrypts all files using AES algorithm[1] to make files on the affected computer unavailable. To distinguish locked files, the virus appends .THANATOS file extension to the targeted files and drops “the README.txt” where victims are demanded to contact hackers via c-m58@mail.ru email and pay 0.01 BTC for a decryption key.

Name Thanatos
Type Ransomware
File extension .THANATOS
Ransom note README.txt
Contact email c-m58@mail.ru
Amount of ransom 0.01 BTC
Distribution Spam, illegal software, fake popups
Decryption Download free Thanatos decryption tool from GitHub
Elimination Download and install FortectIntego or SpyHunter 5Combo Cleaner

Thanatos first showed up in February 2018 and soon came back with an updated version later that month. According to researchers, ransomware authors did not have the decryptor themselves, thus, paying the ransom was out of the question. In late June 2018, security experts from Cisco managed to crack the malicious code and create a free ThanatosDecryptor. Researchers managed to find a vulnerability in the encryption procedure used by the virus.

The trick lied in how the virus determines the key for each of the encrypted files. It is based on the time (in milliseconds) since Windows was last launched. Using Windows Event Logs, security experts managed to reverse-engineer the key. Cisco researchers explained the following:[2]

Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.

Thanatos malwareSecurity experts released Thanatos decryptor which can be downloaded for free

What makes Thanatos exclusive from the rest of ransomware viruses is the types of cryptocurrency that it accepts. The victim is allowed to transfer the ransom in Ethereum, BitCoin, and BitCoin Cash. Thus, it's the first crypto-ransomware that register payments via BitCoin Cash (BCH) wallet.

Right after the Thanatos ransomware attack, the victim will no longer be able to open documents, images, multimedia, databases, and other files stored on the machine. However, he or she should see “the README.txt” file, which stands for a ransom note in each folder containing locked files. The file provides the contact information (c-m58@mail.ru or thanatos1.1@yandex.com) and crypto-currency wallet addresses:

Thanatos v1.1

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

2. Send your TXID and your MachineID to mail
E-Mail: thanatos1.1@yandex.com
Machine ID: {ID HERE}

—————————————————
Do not waste your time, files can only be
decrypted by our decode tool.

It seems that developers of the Thanatos ransomware improved it soon after the original version started attacking victims because initially crooks provided c-m58@mail.ru as a contact email and accepted the 0.01 BTC ransom. However, the version of the virus did not change. Experts detect the same v1.1 circulating, but beware that it may provide diverse information.

The ransom note tells that after the payment is transferred, the users should receive a decryptor by email. The truth is that there's no Thanatos decryptor at all – neither paid nor free. According to ransomware analysts, this ransomware encrypts files but does not generate a decryption key. It's not clear yet whether the decision to encrypt people's data permanently has been made intentionally or accidentally. However, it's clear that you will not be able to decrypt files encrypted by Thanatos ransomware even though you pay the ransom.

Thus, you should focus on Thanatos removal instead of risking to increase your damage. Unfortunately, deletion of the virus won’t restore your files, but you will be able to use your PC safely again. If you have backups, simply plug in an external storage device after virus removal and recover files easily.

Those who do not have backups should use alternative data recovery methods that are provided at the end of this post. However, we cannot guarantee that they work. Cybersecurity researchers claim that the most effective, though time-consuming, the method to unlock files compromised by ransomware is to use brute force algorithm. For this purpose, you should contact professional IT experts.

To remove Thanatos from the computer safely, you have to obtain a reputable malware removal tool, such as FortectIntego or Malwarebytes. If you cannot install security software, please follow the guide given below. Keep in mind that manual removal is not recommended due to the complexity of ransomware.

Thanatos belongs to the most difficult types of cyber threats. Hence, after the attack, it may have installed numerous harmful files, injected malicious code into legit system processes, and caused other changes to the system that cannot be safely fixed manually.

Image of Thanatos ransomwareThanatos ransomware blackmails into paying the ransom after making victim's files inaccessible.

Authors of file-encrypting viruses use multiple distribution methods to infect computers

Typically, ransomware viruses spread via malicious spam emails. Thus, malware can sneak into the system when a user is tricked into opening Word, PDF or ZIP file that includes a malicious payload. However, security specialists from DieViren.de[3] also report about other threats.

Ransomware can also be distributed as:

  • fake software update which appears as a pop-up when browsing the web;
  • illegal or obfuscated program in file-sharing sites or networks;
  • malicious ads.[4]

Therefore, you should be careful with content you click or download online. Additionally, to avoid ransomware helps installation of recent updates and robust security software.

Termination of the Thanatos ransomware virus

We have mentioned at the beginning that you should not try to remove Thanatos manually. We want to stress out that only experienced IT specialists can clean your PC without damaging it. Therefore, instead of locating files or registry entries created by ransomware, you should opt out for the automatic elimination method.

Automatic Thanatos removal can be performed with any professional malware removal program. However, we highly recommend using FortectIntego or Malwarebytes. If crypto-virus is resistant and prevents from accessing security software, follow the steps below.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Thanatos virus. Follow these steps

Manual removal using Safe Mode

First of all, you should disable the virus to remove it automatically without any obstacles.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Thanatos using System Restore

If the previous method did not help to remove Thanatos ransomware, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Thanatos. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Thanatos removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Thanatos from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Thanatos, you can use several methods to restore them:

Recover your data
Recover your data

Data Recovery Pro – alternative tool to restore damaged files

Nevertheless, it's not an official decryptor; it might still help to restore some of the files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Thanatos ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

If System Restore was enabled before Thanatos ransomware attack, you can follow the steps below and get back access to the most important files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadoExplorer

If the ransomware did not delete Shadow Volume Copies, you could use ShadowExplorer to restore encrypted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use a free Thanatos decryptor tool

Security experts from Cisco created a free ThanatosDecryptor. Download it and recover your files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Thanatos and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References
Removal guides in other languages