Severity scale:  
  (98/100)

Thanatos ransomware. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

Thanatos – a decryptable ransomware virus which is actively spreading around

Ransom note by Thanatos ransomware
Thanatos ransomware demands 0.01 BTC for the encrypted files release

Thanatos is a ransomware virus that belongs to the crypto family. It is written in Thanatos.pdb programming language and mostly spreads via malicious spam email attachments. As soon as the infiltration succeeds, ransomware activates the payload and encrypts all files using AES algorithm[1] to make files on the affected computer unavailable. To distinguish locked files, the virus appends .THANATOS file extension to the targeted files and drops “the README.txt” where victims are demanded to contact hackers via c-m58@mail.ru email and pay 0.01 BTC for a decryption key.

Name Thanatos
Type  Ransomware
File extension .THANATOS
Ransom note README.txt
Contact email c-m58@mail.ru
Amount of ransom 0.01 BTC
Distribution Spam, illegal software, fake popups
Decryption Download free Thanatos decryption tool from GitHub
Elimination Download and install Reimage or Malwarebytes MalwarebytesCombo Cleaner

Thanatos first showed up in February 2018 and soon came back with an updated version later that month. According to researchers, ransomware authors did not have the decryptor themselves, thus, paying the ransom was out of the question. In late June 2018, security experts from Cisco managed to crack the malicious code and create a free ThanatosDecryptor. Researchers managed to find a vulnerability in the encryption procedure used by the virus.

The trick lied in how the virus determines the key for each of the encrypted files. It is based on the time (in milliseconds) since Windows was last launched. Using Windows Event Logs, security experts managed to reverse-engineer the key. Cisco researchers explained the following:[2] 

Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.

Thanatos malware
Security experts released Thanatos decryptor which can be downloaded for free

What makes Thanatos exclusive from the rest of ransomware viruses is the types of cryptocurrency that it accepts. The victim is allowed to transfer the ransom in Ethereum, BitCoin, and BitCoin Cash. Thus, it's the first crypto-ransomware that register payments via BitCoin Cash (BCH) wallet. 

Right after the Thanatos ransomware attack, the victim will no longer be able to open documents, images, multimedia, databases, and other files stored on the machine. However, he or she should see “the README.txt” file, which stands for a ransom note in each folder containing locked files. The file provides the contact information (c-m58@mail.ru or thanatos1.1@yandex.com) and crypto-currency wallet addresses: 

Thanatos v1.1

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

2. Send your TXID and your MachineID to mail
E-Mail: thanatos1.1@yandex.com
Machine ID: {ID HERE}

—————————————————
Do not waste your time, files can only be
decrypted by our decode tool.

It seems that developers of the Thanatos ransomware improved it soon after the original version started attacking victims because initially crooks provided c-m58@mail.ru as a contact email and accepted the 0.01 BTC ransom. However, the version of the virus did not change. Experts detect the same v1.1 circulating, but beware that it may provide diverse information. 

The ransom note tells that after the payment is transferred, the users should receive a decryptor by email. The truth is that there's no Thanatos decryptor at all – neither paid nor free. According to ransomware analysts, this ransomware encrypts files but does not generate a decryption key. It's not clear yet whether the decision to encrypt people's data permanently has been made intentionally or accidentally. However, it's clear that you will not be able to decrypt files encrypted by Thanatos ransomware even though you pay the ransom. 

Thus, you should focus on Thanatos removal instead of risking to increase your damage. Unfortunately, deletion of the virus won’t restore your files, but you will be able to use your PC safely again. If you have backups, simply plug in an external storage device after virus removal and recover files easily. 

Those who do not have backups should use alternative data recovery methods that are provided at the end of this post. However, we cannot guarantee that they work. Cybersecurity researchers claim that the most effective, though time-consuming, the method to unlock files compromised by ransomware is to use brute force algorithm. For this purpose, you should contact professional IT experts. 

To remove Thanatos from the computer safely, you have to obtain a reputable malware removal tool, such as Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. If you cannot install security software, please follow the guide given below. Keep in mind that manual removal is not recommended due to the complexity of ransomware.

Thanatos belongs to the most difficult types of cyber threats. Hence, after the attack, it may have installed numerous harmful files, injected malicious code into legit system processes, and caused other changes to the system that cannot be safely fixed manually.

Authors of file-encrypting viruses use multiple distribution methods to infect computers

Typically, ransomware viruses spread via malicious spam emails. Thus, malware can sneak into the system when a user is tricked into opening Word, PDF or ZIP file that includes a malicious payload. However, security specialists from DieViren.de[3] also report about other threats.

Ransomware can also be distributed as:

  • fake software update which appears as a pop-up when browsing the web;
  • illegal or obfuscated program in file-sharing sites or networks;
  • malicious ads.[4]

Therefore, you should be careful with content you click or download online. Additionally, to avoid ransomware helps installation of recent updates and robust security software.

Termination of the Thanatos ransomware virus

We have mentioned at the beginning that you should not try to remove Thanatos manually. We want to stress out that only experienced IT specialists can clean your PC without damaging it. Therefore, instead of locating files or registry entries created by ransomware, you should opt out for the automatic elimination method.

Automatic Thanatos removal can be performed with any professional malware removal program. However, we highly recommend using Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. If crypto-virus is resistant and prevents from accessing security software, follow the steps below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Thanatos virus, follow these steps:

Remove Thanatos using Safe Mode with Networking

First of all, you should disable the virus to remove it automatically without any obstacles.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Thanatos

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Thanatos removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Thanatos using System Restore

If the previous method did not help to remove Thanatos ransomware, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Thanatos. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Thanatos removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Thanatos from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Thanatos, you can use several methods to restore them:

Data Recovery Pro – alternative tool to restore damaged files

Nevertheless, it's not an official decryptor; it might still help to restore some of the files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Thanatos ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

If System Restore was enabled before Thanatos ransomware attack, you can follow the steps below and get back access to the most important files:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadoExplorer

If the ransomware did not delete Shadow Volume Copies, you could use ShadowExplorer to restore encrypted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use a free Thanatos decryptor tool

Security experts from Cisco created a free ThanatosDecryptor. Download it and recover your files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Thanatos and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages