{
	"id": "461b0b4b-75d6-4e24-b926-bf6a1bcc1851",
	"created_at": "2026-04-06T00:19:10.272282Z",
	"updated_at": "2026-04-10T03:21:20.133828Z",
	"deleted_at": null,
	"sha1_hash": "6fc1abf85fd4bfe57e529c3de2a64ffc00d4f087",
	"title": "Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up Encryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 977433,
	"plain_text": "Thanatos Ransomware Is First to Use Bitcoin Cash. Messes Up\r\nEncryption\r\nBy Lawrence Abrams\r\nPublished: 2018-02-26 · Archived: 2026-04-05 15:37:36 UTC\r\nRansomware developers continue to release infections that are clearly not tested well and contain bugs that may make it\r\ndifficult, if not impossible, for victims to recover their files. Such is the case with the new in the wild ransomware called\r\nThanatos that has been discovered by security researcher MalwareHunterTeam.\r\nWhen the Thanatos Ransomware infects a victim it will use a new key for each encrypted file. The problem, according to\r\nresearcher Francesco Muroni, is that these keys are never saved anywhere. This means that if a user pays the ransom, the\r\nransomware developer does not have a method that will actually be able to decrypt each file. Therefore, it is not\r\nrecommended that victims pay the Thanatos ransom for any reason.\r\nThe good news is that according to Muroni it may be possible to brute force the encryption key for each file. This would\r\ntake quite a bit of time and would require the file to be a common file type with a known magic header. \r\nThanatos is the first ransomware to accept Bitcoin Cash\r\nWhile the encryption part of Thanatos is a mess, the ransomware does introduce something new. That is being the first\r\nransomware to accept Bitcoin Cash as a ransom payment.\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nFor those unfamiliar with Bitcoin Cash, it is a new cryptocurrency that was spun off from Bitcoin. When Bitcoin hit\r\nblock 478,558, Bitcoin was forked into a new cryptocurrency called Bitcoin Cash. When this fork occurred, Bitcoin holders\r\nwere then given an equivalent amount of Bitcoin Cash. For example, if a user had 2 Bitcoins at the time of the fork, they\r\nwould have received 2 Bitcoin Cash as well.\r\nWhile Thanatos accepts both Bitcoin and Etherum as a ransom payment, this is the first time that Bitcoin Cash has been\r\naccepted as shown in the ransom note below.\r\nThanatos Ransom Note\r\nHow Thanatos Ransomware encrypts a Computer\r\nWhen the Thanatos Ransomware encrypts a computer it will generate a new encryption key for every file encrypted. As\r\ndiscussed already, unfortunately these encryption keys are not saved anywhere and thus according to researchers it would\r\nnot be possible for the developers to decrypt the files even if a ransom payment is made.\r\nWhen encrypting files it will append the .THANATOS extension to an encrypted file's name. For example, a file named\r\ntest.jpg would be encrypted and renamed as test.jpg.THANATOS.\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 3 of 6\n\nThanatos Encrypted Files\r\nAfter the encryption process is finished it will then connect to iplogger.com/1t3i37 URL in order to keep track of the amount\r\nof victims that have been infected.\r\nFinally, it will generate an autorun key called \"Microsoft Update System Web-Helper\" that opens the README.txt ransom\r\nnote every time a user logs in. This ransom note can be seen in the article's previous section.\r\nThis ransom note contains instructions to send a $200 USD ransom payment to one of the listed Bitcoin, Ethereum, or\r\nBitcoin Cash addresses. The user is then instructed to contact thanatos1.1@yandex.com with their unique victim ID in order\r\nto receive a decryption program.\r\nAs already stated, this ransomware can not be decrypted normally due to it not saving the encryption keys and thus the\r\nransom payment should not be made. If anyone is infected with this ransomware, they should contact us about the possible\r\ncreation of a brute force program.\r\nHow to protect yourself from the Thanatos Ransomware\r\nIn order to protect yourself from ransomware in general, it is important that you use good computing habits and security\r\nsoftware. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the\r\ncase of an emergency, such as a ransomware attack.\r\nYou should also have security software that incorporates behavioral detections to combat ransomware and not just signature\r\ndetections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral\r\ndetection that can prevent many, if not most, ransomware infections from encrypting a computer.\r\nLast, but not least, make sure you practice the following security habits, which in many cases are the most important steps of\r\nall:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed that uses behavioral detections or white list\r\ntechnology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 4 of 6\n\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nIOCs\r\nHashes:\r\nfe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9\r\nRansom Note Text: \r\n---------------------------------------------------\r\n ________ _____ _ _____ __________ _____\r\n /_ __/ / / / | / | / / |/_ __/ __ \\/ ___/\r\n / / / /_/ / /| | / |/ / /| | / / / / / /\\__ \\\r\n / / / __ / ___ |/ /| / ___ |/ / / /_/ /___/ /\r\n/_/ /_/ /_/_/ |_/_/ |_/_/ |_/_/ \\____//____/\r\n---------------------------------------------------\r\n Thanatos v1.1\r\nYour files was encrypted. To decrypt your files,\r\nfollow next steps:\r\n1. Send $200 to one of these wallets:\r\nBTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh\r\nETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef\r\nBCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f\r\n2. Send your TXID and your MachineID to mail\r\nE-Mail: thanatos1.1@yandex.com\r\nMactineID: 6bfd5faf-54f4-4620-a82d-4558a9132a25\r\n \r\n---------------------------------------------------\r\nDo not waste your time, files can only be\r\ndecrypted by our decode tool.\r\nEmail Addresses:\r\nthanatos1.1@yandex.com\r\nAssociated Files:\r\nREADME.txt\r\nAssociated Registry Entries:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run \"Microsoft Update System Web-Helper\" = \"C:\\Windows\\System\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/"
	],
	"report_names": [
		"thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fc1abf85fd4bfe57e529c3de2a64ffc00d4f087.pdf",
		"text": "https://archive.orkl.eu/6fc1abf85fd4bfe57e529c3de2a64ffc00d4f087.txt",
		"img": "https://archive.orkl.eu/6fc1abf85fd4bfe57e529c3de2a64ffc00d4f087.jpg"
	}
}