Thana Ransomware
The Thana Ransomware is another file-encrypting threat that was uncovered by security researchers recently. Once inside your machine, the Thana Ransomware will start its harmful actions by scanning the infected computer to find the files it intends to encrypt. Then, the Thana Ransomware will encrypt them by using the RSA-4096 and AES-256, two very effective encryption methods. As soon as the Thana Ransomware finishes the files' encryption, it will display a ransom note that will be dropped on a file, named "HELP_ME_RECOVER_MY_FILES.txt," warning the victims about what happened with their files, asking for a $500 as a ransom, which should be paid in bitcoin, providing the Bitcoin wallet to which the money should be sent - 32bzWrWXXbWGSwB4gGTQt8RdzuNQVaS9Md, and their email address through which the victims can contact them – recoba90@protonmail(dot)com.
Table of Contents
What Does Thana Ransomware Do?
The virus does more than just encrypt the data, however, as it also applies a “.Thana” file extension to infected files. A file called “Image.JPG” would become “Image.JPG.Thana” as an example. The virus also drops a ransom note, called “HELP_ME_RECOVER_MY_FILES.txt” in folders with infected files. This ransom note ireads like the following:
1 - What Happened to My Computer ?
Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network and now all your files, documents, photos, databases, ...are safely
encrypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder (thanatos decryption).
We have also uploaded a lot of files from your network on our secure server, so if you refuse to pay the ransom,those files will be published or solded to competitors.
2 - Can I Recover My Files ?
Sure, we guarantee that you can recover all your files safely.
If you want to restore your files write to recoba90@protonmail.com and attach 2 encrypted files (Less than 2MB each) and we will decrypt them.
Please don't forget to precise the name of your compagny and your unique identifier key in the email.
But if you want to decrypt all your files, you need to pay.
You only have 5 days from this moment to submit the payment. After that all your files will be lost definitely.
3 - How Do I Pay ?
Payment is accepted in bitcoin only. You can buy bitcoins from :
-hxxps://www.coinbase.com
-hxxps://localbitcoins.com
The final price of decryption is 500$ .
First : Send 500$ worth of bitcoin to the following address : 32bzWrWXXbWGSwB4gGTQt8RdzuNQVaS9Md
Second: send an email to recoba90@protonmail.com and don't forget to precise the name of you compagny, your wallet ID and your unique identifier key.
After that, we will send you our thanatos decryption tool to restore all your files.!!!!Be warned, we won't be able to recover your files if your start fiddling with them.!!!!
Thanatos ransomware
No System Is Safe
Bitcoin wallet to make the transfer to is:
32bzWrWXXbWGSwB4gGTQt8RdzuNQVaS9Md
Unique Identifier Key (must be sent to us together with proof of payment):
--------
-
--------
Number of files that you could have potentially lost forever can be as high as: 516
The ransom note explains in more detail just what the ransomware does. As you can see, users find that their files are encrypted with RSA-4096 and AES-256 encryption protocols. The note also says that the information has been exfiltrated from the computer. If the victim doesn’t pay the ransom, then the information will be sold to competitors so that attackers get their money one way or another.
Attackers demand a ransom for the safe return of encrypted data and for the exfiltrated data to not be sold online. The ransom is set at $500 worth of Bitcoin, and victims are given five days to make the payment. Victims can send the attacker two encrypted files that will be decrypted for free, as proof that the decryption program really works. This is one way that cybercriminals create a false sense of security with their victims. People are more likely to pay up if they believe in what the criminal says.
Payments are sent through email, and, once received, victims will be sent the decryption key to restore lost data. At least, that’s what the criminals promise. The note also cautions against tampering with files and trying to decrypt them through other means, saying that doing this will cause permanent damage and data loss.
Unfortunately, more often than not, it is impossible to undo the damage of a ransomware attack without interference from the original threat actor. There are cases where security researchers can put together decryption tools thanks to bugs and errors in the ransomware, but this isn’t always the case. With that said, researchers warn against paying the ransom. There are many cases of people being scammed, with criminals not sending the decryption key even if they are paid.
The only way to properly protect your computer from a Thana infection is to remove the virus altogether. If you don’t do that, then you could just get infected again, even if you restore files from a backup. Being able to restore lost, stolen, and destroyed information is the main reason to keep backups of all your essential data.
How Does Thana Ransomware Infect Computers?
Like most ransomware, Thana spreads through spam email campaigns and program exploits.
Emails
Cybercriminals exploit their victims by sending out spam emails. The emails have false header information to trick users into believing it comes from a shipping company. The email says that the company in question attempted to deliver a package to you but failed. The emails may also claim that a shipment you made couldn’t be completed for some reason.
Readers are tempted to access the attached file to find out what happened to their package. Once the user accesses the attached file or clicks on the link included with the email, their computer is infected.
Program Exploits
Security researchers have seen ransomware attack victims by exploiting potential vulnerabilities in software programs and computer operating systems. These exploits target the operating system, internet browsers, third-party installations, and Microsoft Office.
How to Protect Your Computer From Thana Ransomware
There are several steps you can take to protect yourself and your computer from Thana ransomware and other ransomware. The most important thing to do is to avoid opening email attachments and links if you aren’t sure of the source. If in doubt, don’t do it. It’s also worth keeping a robust back-up schedule where you regularly back-up data on your computer. The more copies you have of essential data, the better. That way, even if someone does infect your computer and lock your files away, you can just restore them and get on with your day.
Don’t forget to keep your applications, programs, and operating systems up to date. The constant updates can be overwhelming, but most updates are issued to patch exploits that viruses use to infect computers. Keep your computer up to date, and you’ll have a lot less to worry about in terms of viruses, malware, and ransomware.
