THANATOS ransomware virus - How to remove

Yet another dangerous virus Thanatos was discovered by MalwareHunterTeam just yesterday and we already have our hands on it.

This virus is categorised as a ransomware, i.e. it will try to encrypt your files and demand a ransom to be paid in order to retrieve them. In fact, it is a very first ransomware infection (as far as we know) that uses Bitcoin Cash cryptocurrency for ransom payments.

Combine that with the fact that Thanatos uses a different decryption key for every single encrypted file and you have rather untypical ransomware virus. Usually infections like DataKepper ransomware or Twist virus uses a very clear technique that simplifies the payment operation, but Thanatos acts differently and that’s strange.

Complicated encryption and several payment options

The strangest thing regarding this ransomware is that it generates a different encryption key for every single file stored on your computer. Even though the appendix remains the same, it is still really difficult to process such high volume of encryption keys.

Some cyber security experts believe that this ransomware is not even functioning as it should be – it can encrypt files and receive ransom payment but decryption is not available as those unique keys are not saved.

Either way it is true or not, it still poses a big threat to your computer and personal files. THANATOS ransomware comes as an attachment to email letters and is uploaded to the system when user downloads that malicious attachment. Most of the time such letters end up in the spam folder, therefore the best practise to avoid ransomware like this is not to open emails from unknown senders, especially if it was listed as spam.

In case you already did that, encryption is inevitable. Thanatos will scan your computer for files that can be encrypted and then add .THANATOS extension to every single one of them. After this, you won’t be able to open any of your files.

Also, it will create “README.txt” file and place it on your desktop. It is a ransom note with instructions how to pay the ransom. Original text from the file:

—————————————————
________ _____ _ _____ __________ _____
/_ __/ / / / | / | / / |/_ __/ __ \/ ___/
/ / / /_/ / /| | / |/ / /| | / / / / / /\__ \
/ / / __ / ___ |/ /| / ___ |/ / / /_/ /___/ /
/_/ /_/ /_/_/ |_/_/ |_/_/ |_/_/ \____//____/

—————————————————
Thanatos v1.1

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

2. Send your TXID and your MachineID to mail
E-Mail: [email protected]
Machine ID: {ID HERE}

—————————————————
Do not waste your time, files can only be
decrypted by our decode tool.

Users are forced to pay $200 in one of the following cryptocurrency – Bitcoin, Ethereum or Bitcoin Cash. They are also encouraged to contact cyber criminals via [email protected] and send unique ID codes there.

As we have mentioned before, there are some serious doubts that this ransomware can actually decrypt files, so paying the ransom in order to restore your files is not an option at all. Even though $200 might look like not that much, it is much better to invest money in protecting your computer, not supporting cyber criminals.

There are a few alternatives to paying the ransom – you can scan your computer with anti-malware application, such as Spyhunter. Either one of those programs should be able to detect and remove malicious files related to THATOS infection.

Next, you should try to restore your files. However, in order to do that you have to have a valid backup copy of your hard drive that was made before the infection and stored on an external drive or cloud. If you do have one, follow this restore guide to get your files back.

Automatic Malware removal tools