Cisco releases free Thanatos Ransomware Decryptor Tool
https://www.ispeech.org
The Cisco Talos team developed a new free decryption tool by analysing Thanatos, a variant of ransomware that has spread through several malicious software campaigns in the past few months, to help victims recover damaged files.
Hackers use multiple versions of Thanatos in various attacks, which means it is an evolving threat. Unlike other ransomware distributed on the Internet, Thanatos does not require ransom payments using a single cryptocurrency such as Bitcoin. Instead, the researchers observed that it supported the use of bitcoin cash (BCH), Zcash (ZEC), Ethereum (ETH), and other forms of support for ransom payments. Besides, because the ransom software has problems in the encryption process, even if the victim pays the ransom, the hacker cannot return the data to the victim. Although previous reports seem to consider this to be accidental, specific activities show that a middleman deliberately caused this. To counter this threat, Talos released ThanatosDecryptor, a free decryption tool that takes advantage of the weaknesses in the design of file encryption methods used by Thanatos. Infected victims can use this tool to regain their data.
[adsense size='1']
ThanatosDecryptor first searches the same directory as the ransomware to identify the file containing the .THANATOS file extension. For files containing a .THANATOS file extension, the decryption program will get the original file extension (which will remain unchanged during infection) and compare it with the list of supported file types. If the file type is supported, the decryption program queues the file for decryption.
ThanatosDecryptor also parses the uptime messages in the Windows event log and uses the encrypted file creation time metadata to determine the decrypted start value. This value is used to generate an encryption key, perform an AES decryption on the contents of the file, and then compare the resulting byte with the cost of a known valid file header for a particular file type. If they do not match, it means that the decryption process is not successful, then the seed value of the encryption key will increase, and the process will repeat. Once prosperous, the original file is written to the file system, and the original file name restored.
[adsense size='1']
The ThanatosDecryptor released by the Talos team has tested and passed on all known sample versions. Currently supports decrypting the following types of files:
- Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
- Video: .mpg, .mpeg, .mp4, .avi
- Audio: .wav
- Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
- Other: .zip, .7z, .vmdk, .psd, .lnk
You can download Thanatos Ransomware Decryptor here.
Gloss