Thanatos Decryptor

Once it reaches a computer, the Thanatos ransomware encrypts various types of files by appending them the .THANASOS extension. If you try to open such a file, the ransom note is displayed, asking you to transfer money to an account in exchange for the decode tool. Fortunately, the Talos team of Cisco has released a decryptor for the Thanatos ransomware, which tries to unlock your files without a lot of hassle.

The Thanatos Decryptor is a console application that targets a few folders where files encrypted by Thanatos are found. When launched, it starts a recursive scan against the common system folders, including the Desktop, Documents, Downloads, Favorites, OneDrive, as well as the multimedia directories (Music, Pictures, Videos).

As for the original file types supported by the application, please note that the decryptor can recognize various images (GIF, TIFF, TIF, JPG, JPEG, PNG), WAV audio files, videos (AVI, MPG, MPEG, MP4), documents (the popular Office formats, PDF, RTF, and other files), as well as ZIP and 7z archives, VMDK, LNK, and PSD files. All the files with the .THANASOS extension are placed in a queue and then processed by the decryptor, one by one.

Knowing how the Thanatos ransomware works helps the decryptor get the starting value for unlocking files. The malware uses the GetTickCount value on the victim computer to build the encryption key and that is why the Thanatos Decryptor analyzes the Windows Event log to generate its own encryption key and start AES decryption.

Once the seed value is found, the Thanatos Decryptor can use it to try unlocking all the other encrypted files.

Whiel Thanatos Decryptor does not require any user intervention, it does require patience from your part. The folders Thanatos affects are scanned automatically and the decryption queue is built without you having to do a thing but the entire process might take a while. On the downside, the array of supported formats is limited so decryption might fail for some files.