The Thanatos ransomware first appeared in the threat landscape in February when it was discovered by researchers at the MalwareHunterTeam.
The experts from Talos believe the malware is being actively developed, it was being distributed as attachments to chat messages sent via Discord.
When the malware encrypts files it appends the .THANATOS extension to them. Once the encryption is completed, the malware connects to a specific URL to report the infection.
The Thanatos ransomware is the first ransomware to accept Bitcoin Cash payments, along with Bitcoin and Ethereum.
At the time of its discovery, experts from Talos discovered a series of issues with the encryption process that makes it impossible for attackers to successfully returning the data to the victim.
The experts observed several variants of the malware, the first ones were using the same Bitcoin address for all the victims and the payment processing was manual after the victims were instructed to send an email to the crooks.
The next version implemented the support for more crypto-currencies for the payment processing and included a unique MachineID in the ransom note to distinguish each infection. Victims were instructed to send the MachineID to the attacker via email.
The experts discovered at least one sample that they discovered was informing victims that the decryption was not available, likely because the malware was part of a sabotage.
Once executed on the victim’s machine, the malicious code copies itself into a subdirectory within %APPDATA%/Roaming, then it scans the system for files to encrypt searching them in the Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos folders.
The encryption keys are derived from the number of milliseconds since the system last booted, but experts noticed that the keys are 32 bits and can store up to 49.7 days’ worth of milliseconds.
The researchers pointed out that 49.7 days is much higher than the average amount of uptime on many systems, this makes brute-force attack easier.
“This value is a 32-bit number, meaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of milliseconds that can be stored in a 32-bit value is roughly 49.7 days’ worth, which is higher than the average amount of uptime on many systems due to patch installation, system reboots, and other factors.” states the analysis published by Cisco Talos. “This makes brute-forcing the key values significantly cheaper from a time perspective.”
“Another optimization can be made based on the fact that the system uptime is written to the Windows Event Log roughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.”
Summarizing, the process of recovering the encryption key would take roughly 14 minutes.
The tool released by Talos only works with versions 1 and 1.1 of the Thanatos ransomware and on all current samples of the ransomware analyzed by the experts.
“Note: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine that was infected and against the original encrypted files that the malware created.” concludes Talos.
The ThanatosDecryptor could be downloaded here.
(Security Affairs – Thanatos ransomware, decryptor)