Shriram Munde
Thanatos Ransomware – an analysis by Quick Heal Security Labs
February 22, 2018

Quick Heal Security Labs has come across a new ransomware with AES encryption technique that demands 0.01 Bitcoin as a ransom after encrypting the victim’s files. It’s known as Thanatos Ransomware.

Thanatos is a type of a Trojan malware that spreads through malicious advertisements, phishing sites, spam emails, freeware and cracked software.

In spam emails, the ransomware arrives with macro embedded attachments like PDF, Zip, Word or Doc. Opening such a file triggers the encryption.


Work flow of Thanatos

On execution, it checks for the presence of Avenues Power Desk software, Corel software, debuggers, Lotus software, Microsoft PowerPoint, and Star Office software.

After the successful execution, it dropped the following artifacts onto the machine:

Exe file – ‘<%appdata%/random_folder/random.exe> ‘

Registry – ‘user\current\software\Microsoft\Windows\CurrentVersion\Run\DO_NOT_DELETE_THIS = C:\Windows\System32\notepad.exe C:\Users\Desktop\README.txt’

The .exe file starts the encryption activity as soon as it is dropped on the infected system.

Fig 1. Thanatos’ ransom note

After encryption, it appends an extension .THANATOS to the encrypted file and drops the encryption marker file ‘README.txt’.

README.TXT will pop up every time the user reboots the system because of the autorun registry dropped by the malware.

Thanatos, on completion of encryption, deletes its process from the memory.


How Quick Heal protects its users from the Thanatos Ransomware

Quick Heal works on multiple levels to protect its users from this threat. These levels include:

  • Virus Protection
  • Behaviour-based Detection
  • Anti-Ransomware

Fig 2. Anti-Ransomware Tool


Fig 3. Behaviour Detection Tool


Fig 4. Virus Protection

How to stay safe from ransomware attacks

Files encrypted by this ransomware are hard to decrypt as the ransomware uses a different key for each file, which is generated locally. Therefore, users are advised not to pay any ransom. Follow these safety measures:

  • Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
  • Never install any freeware or cracked versions of any software.
  • Do not open any advertisement pages shown on websites without knowing that they are genuine.
  • Disable macros while using MS Office.
  • Always install and update your anti-virus to protect your system from unknown threats.

Indicators of compromise

MD5: – 681211a7b964eaffd13e0610d82a25e7

Subject Matter Expert

Shalaka Patil | Quick Heal Security Labs



Have something to add to this story? Share it in the comments.

Shriram Munde
About Shriram Munde
Shriram has 5 years of experience in cyber threat research and analysis. He is part of Quick Heal’s Proactive Team. His interests include blogging and exploring...
Articles by Shriram Munde »

No Comments, Be The First!

Your email address will not be published.