{
	"id": "04a7e1e6-75fe-4096-a6eb-31a9cfccc47b",
	"created_at": "2026-04-06T00:19:29.496253Z",
	"updated_at": "2026-04-10T03:20:01.087943Z",
	"deleted_at": null,
	"sha1_hash": "615f360dda2039b73e138c2b244ef508c9414513",
	"title": "Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 511911,
	"plain_text": "Files Cannot Be Decrypted? Challenge Accepted. Talos Releases\r\nThanatosDecryptor\r\nBy Edmund Brumaghin\r\nPublished: 2018-06-26 · Archived: 2026-04-05 19:14:02 UTC\r\nTuesday, June 26, 2018 11:00\r\nThis blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.\r\nAdditionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are\r\nunable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is\r\naccidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor.\r\nIn response to this threat, Talos is releasing ThanatosDecryptor, a free decryption tool that exploits weaknesses in the\r\ndesign of the file encryption methodology used by Thanatos. This utility can be used by victims to regain access to their\r\ndata if infected by this ransomware.\r\nTechnical details\r\nOngoing evolution of Thanatos\r\nWhile tracking and analyzing the various campaigns being used to distribute the Thanatos\r\nransomware, Talos identified multiple distinct versions of this malware, indicating that it is continuing\r\nto be actively developed by the malware author. The main differences can be directly observed within\r\nthe ransom note being used to inform victims that they have been infected and provide instructions for\r\npaying a ransom to the attacker. Version 1 of Thanatos, which was being distributed in mid-February\r\nof this year, featured a very primitive ransom note that is stored on the victim's desktop as\r\nREADME.txt.\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 1 of 12\n\nIn this version of Thanatos, the ransom note simply informs the user that their files have been encrypted and instructs\r\nthem to pay a ransom amount of 0.01 bitcoin (BTC) to the specified bitcoin wallet. Rather than using different wallet\r\naddresses across samples, the same hardcoded wallet address is present in all samples of this version of Thanatos that\r\nTalos analyzed. Payment processing appears to be manual and email-based, which is indicative of an attacker with\r\nlimited resources and knowledge of ransomware creation and distribution techniques used by other more well-known\r\nransomware families such as Locky, Cerber, etc.\r\nShortly after Version 1 was observed being distributed, malware distribution campaigns began distributing Thanatos\r\nVersion 1.1 with the majority of the distribution of Version 1.1 occurring between February and April 2018. This\r\nupdated version of Thanatos featured several key differences related to the type of cryptocurrencies that victims could\r\npay with.\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 2 of 12\n\nAs can be seen in the screenshot of the ransom note above, Thanatos Version 1.1 supports payment of the ransom\r\ndemand using BTC, ETH, and BCH. Additionally, the malware also now includes a unique MachineID that the victim is\r\ninstructed to send to the attacker via email.\r\nInterestingly, the ransom notes changed several times across samples that Talos analyzed. Below is another example of\r\none of the ransom notes used by this malware. Note that the attacker had changed the email address being used to\r\ncommunicate with victims. The attacker was also purporting to process ransom payments in the form of Zcash versus\r\nthe other cryptocurrencies listed in the other ransom notes.\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 3 of 12\n\nIn investigating the distribution mechanisms being used by the attacker to infect victims and remove their ability to\r\naccess data on their system, we identified an interesting campaign that indicated that at least in this particular case, the\r\nattacker had no intention of providing any sort of data decryption to the victim. The malware appears to have been\r\ndelivered to the victim as an attachment to a chat message sent to the victim using the Discord chat platform. Discord is\r\na voice and text chatting platform that allows direct communications between two or more participants. The URL\r\nhosting the attached malware is below:\r\nhxxps://cdn[.]discordapp[.]com/attachments/230687913581477889/424941165339475968/fastleafdecay.exe\r\nThe filename used in this case was \"fastleafdecay.exe\" which may indicate that the victim was tricked into executing the\r\nmalware as it was posing as a mod of the same name in the video game Minecraft. When executed, this sample\r\ndisplayed the following ransom note to victims:\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 4 of 12\n\nAs can be seen in the above screenshot, the malware author did not include any instructions for paying a ransom, instead\r\nstating that decryption was not available, indicating that this particular case was not financially motivated, and instead\r\nwas used to destroy data on the victim's system. Interestingly, the PDB path that was intact on this sample differed from\r\nthe other samples that Talos analyzed. In this case, the PDB path was:\r\n       C:\\Users\\Artur\\Desktop\\csharp - js\\косте пизда\\Release\\Thanatos.pdb\r\nMost of the other samples contained the following PDB path:\r\n       D:\\Work\\Thanatos\\Release\\Thanatos.pdb\r\nTalos also observed a sample that had been compiled in debug mode that contained the following PDB path:\r\n       D:\\Работа\\Локер шифровчик\\Thanatos-master\\Debug\\Thanatos.pdb\r\nThanatos operations and encryption process\r\nWhen executed on victim systems, Thanatos copies itself into a subdirectory that it creates within\r\n%APPDATA%/Roaming. The subdirectory name and executable file name are randomly generated\r\nbased on system uptime and changes each time the malware executes.\r\nThanatos recursively scans the following directories within the current user's profile to identify files to encrypt:\r\nDesktop\r\n        Documents\r\n        Downloads\r\n        Favourites\r\n        Music\r\nOneDrive\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 5 of 12\n\nPictures\r\n        Videos\r\nWhile many ransomware families have a specific list of file extensions that are supported for encryption, Thanatos\r\nsupports encryption of any file that has an extension. For each file that the malware locates, it derives an encryption key\r\nbased on the number of milliseconds that the infected system has been running via a call to GetTickCount. The malware\r\nthen encrypts the file using Advanced Encryption Standard (AES)-256 and discards the encryption key. The process of\r\ndiscarding the encryption key precludes the attacker from being able to provide access to the decrypted data, even if a\r\nransom demand is paid. Encrypted files are then written to the filesystem with the .THANATOS file extension and the\r\noriginal files are deleted.\r\nThe malware also leverages an external website called iplogger. This website provides customized URLs that can be\r\nused to track information about systems that access the URL. By making HTTP GET requests using these hardcoded\r\nURLs, the attacker can obtain information about all of the different systems that have been infected with Thanatos.\r\nThe HTTP GET request are all made using the following user agent:\r\nMozilla/5.0 (Windows NT 6.1) Thanatos/1.1\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 6 of 12\n\nTalos has observed the following iplogger URLs hardcoded into various Thanatos samples that were analyzed:\r\nhxxp://iplogger[.]com:80/1CUTM6\r\n         hxxp://iplogger[.]com:80/1t3i37\r\nThe ransom note associated with Thanatos is saved to the infected user's desktop using the filename README.txt. A\r\nregistry entry is created so that each time the system boots, the ransom note is displayed using the Notepad application.\r\nThis registry key is located in:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nAside from this, the malware does not obtain persistence for the executable itself.\r\nThanatosDecryptor\r\nAs previously described, the encryption keys used to encrypt files on victims' systems are derived\r\nbased upon the number of milliseconds since the system last booted. This value is a 32-bit number,\r\nmeaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of\r\nmilliseconds that can be stored in a 32-bit value is roughly 49.7 days' worth, which is higher than the\r\naverage amount of uptime on many systems due to patch installation, system reboots, and other\r\nfactors. This makes brute-forcing the key values significantly cheaper from a time perspective.\r\nAnother optimization can be made based on the fact that the system uptime is written to the Windows Event Log\r\nroughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 7 of 12\n\ncan be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the\r\ninfection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used\r\nfor testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.\r\nTalos is releasing a decryption utility that can be leveraged by victims of Thanatos to attempt to regain access to data\r\nand files stored on the infected system. It has been tested on Versions 1 and 1.1 of the Thanatos ransomware and on all\r\ncurrently known Thanatos samples Talos has observed.\r\nNote: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine\r\nthat was infected and against the original encrypted files that the malware created.\r\nThis decryption utility currently supports decryption of the following types of files:\r\nImage: .gif, .tif, .tiff, .jpg, .jpeg, .png\r\nVideo: .mpg, .mpeg, .mp4, .avi\r\nAudio: .wav\r\nDocument: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf\r\nOther: .zip, .7z, .vmdk, .psd, .lnk\r\nThe decryptor first searches the same directories as the ransomware to identify files that contain the .THANATOS file\r\nextension. For files that contain the .THANATOS file extension, the decryptor will then obtain the original file\r\nextension, which is left intact during infection, and compare it to the list of supported file types. If the file type is\r\nsupported, the decryptor will then queue that file for decryption.\r\nThanatosDecryptor also parses the Windows Event Log for uptime messages and uses the encrypted file creation time\r\nmetadata to determine a starting value for decryption. This value is used to derive an encryption key, and an AES\r\ndecryption operation is performed against the file contents. The resulting bytes are then compared against values known\r\nto be valid file headers for the specific file type. If they do not match, meaning the decryption process was unsuccessful,\r\nthe seed value for the encryption key is then incremented, and the process is repeated. Once successful, the original file\r\nis written to the file system, and the original filename is restored. Once one file has been successfully decrypted,\r\nThanatosDecryptor uses the seed value from that decryption attempt as the starting point for decryption attempts against\r\nadditional files since they are likely to be very similar.\r\nTo execute ThanatosDecryptor, simply download the ThanatosDecryptor project here and execute\r\nThanatosDecryptor.exe, which can be found in the release directory. Additional information and example output can be\r\nobtained here.\r\nFollowing the money … or lack thereof\r\nAs previously mentioned, throughout the various Thanatos campaigns and associated samples, the\r\nattacker behind this threat made changes to the types of cryptocurrencies that they claim are\r\nsupported for paying the ransom demand. Analysis of these various wallets and associated\r\ncryptocurrency transactions revealed some interesting information about the size and success of these\r\nmalware campaigns over time. Across all of the samples, the following cryptocurrency wallets were\r\nlisted along with instructions for paying the ransom on the ransom note accompanying the malware.\r\nBitcoin ($BTC):\r\n1HVEZ1jZ7BWgBYPxqCVWtKja3a9hsNa9Eh\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 8 of 12\n\n1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF\r\nEthereum ($ETH):\r\n0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef\r\nBitcoin Cash ($BCH):\r\nQzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f\r\nZCash ($ZEC):\r\nt1JBenujX2WsYEZnzxSJDsQBzDquMCf8kbZ\r\nIn analyzing the bitcoin wallets, we identified that the attacker had not received a single ransom payment from victims.\r\nIn fact, the wallet listed most frequently across the samples analyzed (1HVEZ1jZ7BWgBYPxqCVWtKja3a9hsNa9Eh)\r\nwas not even a valid bitcoin wallet. This means that even if a victim tried to pay using bitcoin, they would have been\r\nunable to. The second wallet (1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF) did not have a single transaction to or\r\nfrom it.\r\nLikewise, the Bitcoin Cash wallet that was listed has also never seen a single transaction.\r\nWhen analyzing the Zcash wallet that was seen listed on one of the ransom notes associated with Thanatos, we\r\nidentified that while it had seen several transactions, the total amount of ZEC received by this wallet was 2.24767084,\r\nwhich equals approximately $450 USD.\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 9 of 12\n\nFinally, the Ethereum wallet used by the attacker also saw several transactions. However, the total amount was also low\r\ncompared to some of the more successful ransomware campaigns we regularly observe across the threat landscape. The\r\ntotal amount of ETH received in this wallet was 0.52087597, which equals approximately $270 USD.\r\nThis means that across all of the samples seen in the wild, the attacker's wallets had only received a total of $720 USD.\r\nIf the incoming cryptocurrency was directly related to victims paying a ransom as a result of Thanatos infections, this\r\nclearly did not generate significant revenue for the attacker when compared to other financially motivated cybercrime\r\noperations.\r\nConclusion\r\nWhether for monetary gains or to destroy data, attackers are continuously targeting\r\nend users. This malware proves how easy it has become for anyone to target users. You\r\ndo not have to be a sophisticated attacker to cause havoc. There are also an endless\r\nsupply of attack vectors available. In this case, for instance, the attacker took\r\nadvantage of the Discord chat platform. Therefore, it is important to take security\r\nseriously and take steps to secure your systems, whether they are used for personal or\r\nbusiness purposes. Since many of these attacks take advantage of users, you also need\r\nto be careful when opening attachments from unknown sources or clicking on\r\nunknown links.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 10 of 12\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat\r\nactors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nYARA Signatures\r\nTalos is also providing the following YARA signature that can be used to identify\r\nsamples associated with the Thanatos ransomware family.\r\nrule Thanatos\r\n{\r\n    strings:\r\n    $s1 = \".THANATOS\\x00\" ascii\r\n    $s2 = \"\\\\Desktop\\\\README.txt\" ascii\r\n    $s3 = \"C:\\\\Windows\\\\System32\\\\notepad.exe C:\\\\Users\\\\\" ascii\r\n    $s4 = \"AppData\\\\Roaming\" ascii\r\n    $s5 = \"\\\\Desktop\\x00\" ascii\r\n    $s6 = \"\\\\Favourites\\x00\" ascii\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 11 of 12\n\n$s7 = \"\\\\OneDrive\\x00\" ascii\r\n$s8 = \"\\\\x00.exe\\x00\" ascii\r\n    $s9 = \"/c taskkill /im\" ascii\r\n    $s10 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" ascii\r\n    condition:\r\n    6 of ($s1, $s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10)\r\n}\r\nIndicators of Compromise (IOC)\r\nFile Hashes (SHA256)\r\nbad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5\r\nfe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9\r\n8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401\r\n97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e\r\n55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70\r\n02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085\r\n241f67ece26c9e6047bb1a9fc60bf7c45a23ea1a2bb08a1617a385c71d008d79\r\n0bea985f6c0876f1c3f9967d96abd2a6c739de910e7d7025ae271981e9493204\r\n42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312\r\nURLs\r\nhXXps://cdn[.]discordapp[.]com/attachments/230687913581477889/424941165339475968/fastleafdecay.exe\r\nhXXp://iplogger[.]com:80/1CUTM6\r\nhXXp://iplogger[.]com:80/1t3i37\r\nUser Agents\r\nMozilla/5.0 (Windows NT 6.1) Thanatos/1.1\r\nSource: https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nhttps://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html"
	],
	"report_names": [
		"ThanatosDecryptor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434769,
	"ts_updated_at": 1775791201,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/615f360dda2039b73e138c2b244ef508c9414513.pdf",
		"text": "https://archive.orkl.eu/615f360dda2039b73e138c2b244ef508c9414513.txt",
		"img": "https://archive.orkl.eu/615f360dda2039b73e138c2b244ef508c9414513.jpg"
	}
}