Opening with a little homage to the famous board game, Monopoly, for those unfortunately infected with some variant of the ransomware, Thanatos, your get out of “jail” card has been developed by researchers at Cisco. Good news for people seeking a free way to decrypt their data.
Thanatos ransomware operates like many others, when it infects a user’s PC, it encrypts their data and presents a demand for payment of a ransom. In the early days of ransomware, this sometimes involved paying in regular currencies but times have changed, and many bad actors are demanding their ransom in various cryptocurrencies.
Thanatos changes the rules a bit by requiring payment in one of several currencies, as reported by the Hacker News article on June 26, 2018. According to this article,
"Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others."
So, what does a ransomware program like Thanatos do to your data? Once installed, the program changes all file extensions to .thanatos and encrypts each file with a different encryption key. When the user attempts to log in, a message directs them to the ransom payment site.
The method employed by the ransomware makes the encryption extremely hard to crack and prevents Thanatos from decrypting, even after receipt of payment. The primary reason? The encryption process does not make or keep a copy of the particular keys generated.
The researchers analyzed the malware code and found a loophole in the method used to generate the encryption keys. Without getting too deep into the weeds on the methodology, the basics are this; the encryption key generation is based on the number of milliseconds since the system last booted.
Fortunately, the malware does not change the creation dates of the files or the event logs that Windows generates. A brute force attack using this data and some clever reverse engineering decrypts the files in about 14 minutes. No ransom required. You can access the tool, ThanatosDecrypter, here.
Because variants of this ransomware have been found in the “wild,” researchers feel this is going to be a developing threat. Unfortunately, posting the fix as an open source product means the bad actors can grab it and learn from their mistakes. It is a viscous cycle.
The best defense is to practice safe surfing and communicating. As we have noted in other posts, never click a link embedded in an email from a source you do not know or that you did not expect. Legitimate companies like your bank will never send an embedded link asking for any changes to information.
Maintain an updated and capable anti-virus/malware program to protect against infected websites and other malicious types of attack. And when it comes to secured communications, trust yours to CRIP.TO. Our unique combination of software, hardware, and stack of services give our users unparalleled security and anonymity.
You deserve the freedom to communication fearlessly and CRIP.TO gives you the tools to achieve that goal.