Quick Heal Security Labs has come across a new ransomware with AES encryption technique that demands 0.01 Bitcoin as a ransom after encrypting the victim’s files. It’s known as Thanatos Ransomware.
Thanatos is a type of a Trojan malware that spreads through malicious advertisements, phishing sites, spam emails, freeware and cracked software.
In spam emails, the ransomware arrives with macro embedded attachments like PDF, Zip, Word or Doc. Opening such a file triggers the encryption.
Work flow of Thanatos
On execution, it checks for the presence of Avenues Power Desk software, Corel software, debuggers, Lotus software, Microsoft PowerPoint, and Star Office software.
After the successful execution, it dropped the following artifacts onto the machine:
Exe file – ‘<%appdata%/random_folder/random.exe> ‘
Registry – ‘user\current\software\Microsoft\Windows\CurrentVersion\Run\DO_NOT_DELETE_THIS = C:\Windows\System32\notepad.exe C:\Users\Desktop\README.txt’
The .exe file starts the encryption activity as soon as it is dropped on the infected system.
Fig 1. Thanatos’ ransom note
After encryption, it appends an extension .THANATOS to the encrypted file and drops the encryption marker file ‘README.txt’.
README.TXT will pop up every time the user reboots the system because of the autorun registry dropped by the malware.
Thanatos, on completion of encryption, deletes its process from the memory.
How Quick Heal protects its users from the Thanatos Ransomware
Quick Heal works on multiple levels to protect its users from this threat. These levels include:
How to stay safe from ransomware attacks
Files encrypted by this ransomware are hard to decrypt as the ransomware uses a different key for each file, which is generated locally. Therefore, users are advised not to pay any ransom. Follow these safety measures:
Indicators of compromise
MD5: – 681211a7b964eaffd13e0610d82a25e7
Subject Matter Expert
Shalaka Patil | Quick Heal Security Labs