Thanatos Ransomware

The Thanatos Ransomware is an encryption ransomware Trojan that was first observed on February 17, 2018. The Thanatos Ransomware is being delivered to victims of the attack through corrupted email attachments that impersonate legitimate email messages from services like Amazon, PayPal and Facebook. The Thanatos Ransomware is installed on the victim's computer by corrupted macro scripts. Once installed, the Thanatos Ransomware will be used to encrypt the victim's files in an attempt to extract a ransom payment by promising to provide the decryption key necessary to restore the affected files.

What the Thanatos Ransomware will Do with Your Files

The Thanatos Ransomware uses a strong encryption method to make the victim's files inaccessible. The Thanatos Ransomware will focus on the user-generated files, which may include media files such as audio, video, and images, as well as a wide variety of document types, databases, archives, and other commonly used file types. The files types that may be affected by infections like the Thanatos Ransomware include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Thanatos Ransomware will add the file extension '.THANATOS' to the end of each affected file's name after infecting the targeted machine. This makes it relatively simple to identify files that have been compromised by the Thanatos Ransomware infection.

How the Thanatos Ransomware Demands Its Ransom Payment

The Thanatos Ransomware will demand a ransom payment as soon as the targeted files are encrypted. To do this, the Thanatos Ransomware will deliver a text file named 'README.txt' to the infected computer. This text file contains the following text:

'Your computer is encrypted. All data will be lost if you do not pay 0.01 BTC to the specified BTC wallet
1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF
after payment you will receive the decryption code from this mail
c-m58@mail.ru'

However, paying the ransom that the Thanatos Ransomware demands or contacting the people responsible for this attack should be avoided. Instead, computer users should take preemptive steps to remove the Thanatos Ransomware itself and have security copies of their files so that they can be recovered after being encrypted.

Protecting Your Data from Threats Like the Thanatos Ransomware

The best protection against threats like the Thanatos Ransomware is to have file backups on an external memory device. This can allow computer users to restore their data after it has been compromised by the Thanatos Ransomware infection. Having file backups is, in fact, such effective protection against threats like the Thanatos Ransomware that it in itself can be enough to dissuade most attacks, and if enough computer users have file backups, it is likely that these attacks would disappear completely. The Thanatos Ransomware infection itself can be removed with the help of a reliable security program that is fully up-to-date. However, security software will not be capable of restoring files that were encrypted by the attack. For this, file backups will be the most effective solution. Malware researchers advise computer users to handle email messages and unsolicited email attachments with caution since this is the main way in which ransomware threats like the Thanatos Ransomware and similar threats are being distributed to computer users currently.