Thanatos Decryptor: A Step-by-Step Guide to Recovering Your Files
The Cisco Talos Thanatos Decryptor is a free, open-source tool designed to recover files encrypted by the Thanatos ransomware without paying a ransom.
If your computer was infected by this malware, your files likely have the .THANATOS extension appended to them. Paying the attackers is pointless because the Thanatos malware is poorly written; it intentionally discards the encryption keys, meaning the attackers themselves cannot decrypt your data. Thankfully, security researchers discovered a flaw in how the keys are generated, allowing this tool to break the encryption via a targeted brute-force approach. How the Thanatos Decryptor Works
The Thanatos ransomware generates a unique 32-bit encryption key for every individual file based on the number of milliseconds passed since the system was last booted. Because the malware does not alter the file creation dates during encryption, the key search window can be narrowed down significantly.
The Thanatos Decryptor exploits this loophole by reviewing Windows Event Logs to establish system uptime. It then tests roughly 100,000 keys per second against the encrypted files. Once it successfully guesses the key for one file, it utilizes that seed value to rapidly unlock the remaining files on your drive. The average time required to successfully crack a key is about 14 minutes. Supported File Extensions
The command-line program currently targets files within common user directories. It natively supports the decryption of the following file types:
Documents: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf Images: .gif, .tif, .tiff, .jpg, .jpeg, .png Videos: .mpg, .mpeg, .mp4, .avi Audio: .wav Archives & Other: .zip, .7z, .vmdk, .psd, .lnk Step-by-Step Recovery Process
Follow these steps directly on the originally infected machine to maximize your recovery speed. Step 1: Isolate and Clean Your System
Do not attempt to decrypt files on an actively infected machine.
Disconnect your computer from the internet and any local networks to prevent further infection.
Download a reputable security tool on a clean device, transfer it via USB, and run a full system scan to remove the core ransomware payload. Thanatos Decryptor || Cisco Talos Intelligence Group
Leave a Reply