Thanatos Ransomware

Original Issue Date:- April 06, 2018
Virus Type:- Ransomware
Severity:- High

A new variant of ransomware is reported dubbed as “Thanatos” ransomware. The modes of spreading is via malicious advertisements, spam emails etc with crafted attachments.

The sophisticated part of this ransomware is that it always used the different key for encrypting the files and did not saved it anywhere which make it near to impossible to decrypt the data.

Once this ransomware infect the victim system it queried the victim system to get the information like Presence of Avenues Power Desk software, Corel software, debuggers, Lotus software, Microsoft PowerPoint, and Star Office software. Based upon this information, attacker planned and dropped the payload on the victim system in the form of exe file, text file and set the auto run registry Key of the victim computer so that the text file will open on each reboot.

After this, the exe payload which attacker drop on victim machine start encrypting all the files of the victim system and add dot Thanatos extension to them. After encrypting, text file pop up on the victim system containing message to pay ransom to decrypt the encrypted file as shown in Figure 1.

Fig1. Thantos ransom notes (source:pricsk)

Indicators of compromise:


Countermeasures and Best practices for prevention:

  • Perform regular backup of all the critical information to minimize the loss
  • Keep the operating system and third party applications (MS office, browsers, browser Plugins and antivirus) up-to-date with the latest patches.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Always Disable Macros, Active X while using MS Office.