{
	"id": "67b88f7c-ace2-40ae-a13c-09f71c500a72",
	"created_at": "2026-04-06T00:11:54.494158Z",
	"updated_at": "2026-04-10T13:11:44.764443Z",
	"deleted_at": null,
	"sha1_hash": "e3d5db33dda9c5a6975c58ce9f8bbe3917734926",
	"title": "Thanatos Ransomware Decryptor Released by the Cisco Talos Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 939012,
	"plain_text": "Thanatos Ransomware Decryptor Released by the Cisco Talos Group\r\nBy Lawrence Abrams\r\nPublished: 2018-06-26 · Archived: 2026-04-05 18:42:08 UTC\r\nBack in February we wrote about a new ransomware called Thanatos that was encrypting victim's data, but contained flaws\r\nthat would not allow the authors to decrypt a victims files even if they paid. Thankfully, the Cisco Talos Group was able to\r\nfind a method to break the encryption routine in order to create a decryptor that allows victims to recover their files for free.\r\nWhile Thanatos never had a wide distribution, there were some victims of this ransomware as indicated by submissions to\r\nID Ransomware and from Cisco's analysis. According to Cisco there were multiple campaigns, with version 1.1 being\r\ndistributed most widely. \r\nThis version used a more advanced ransom note and visibly showed the name and version of the ransomware as displayed\r\nbelow. Victim's of this ransomware would also have their files encrypted and the names of the file's would have the\r\n.THANATOS extension appended to them. For example, test.jpg would be encrypted and named as test.jpg.THANATOS.\r\nThanatos Ransom Note\r\nCisco has also stated that other versions were released that did not contain any contact information and appeared to be\r\ndesigned to simply destroy the victim's data.\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"In investigating the distribution mechanisms being used by the attacker to infect victims and remove their ability to access\r\ndata on their system, we identified an interesting campaign that indicated that at least in this particular case, the attacker had\r\nno intention of providing any sort of data decryption to the victim,\" Cisco's report stated. \"The malware appears to have\r\nbeen delivered to the victim as an attachment to a chat message sent to the victim using the Discord chat platform.\"\r\nAs Thanatos was released at one time as an open-source project, it is possible that other developers were creating their own\r\nversions using same ransomware code base.\r\nDecrypting files encrypted by the Thanatos Ransomware\r\nTo decrypt files encrypted by the Thanatos Ransomware, you should download the Thanatos Decryptor and save it to your\r\ndesktop. You also need to make sure you have the Microsoft Visual C++ Redistributable for Visual Studio 2017 installed or\r\nyou will receive errors about missing DLLs when you try to run the decryptor.\r\nThanatos Decryptor\r\nOnce you have everything you need, simply double-click on the executable and the decryptor will begin to search for files to\r\ndecrypt. At this time, the decryptor will only decrypt the following file types:\r\nImage: .gif, .tif, .tiff, .jpg, .jpeg, .png\r\nVideo: .mpg, .mpeg, .mp4, .avi\r\nAudio: .wav\r\nDocument: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf\r\nOther: .zip, .7z, .vmdk, .psd, .lnk\r\nCisco also recommends that the decryptor be run on the same machine that the files were encrypted. The decryption process\r\ncan take quite a while, so please be patient while it decrypts your files.\r\nFor those who are interested in learning how decryptors work, Cisco has open sourced their tool, which be found at the\r\nproject's Github page.\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/\r\nhttps://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/"
	],
	"report_names": [
		"thanatos-ransomware-decryptor-released-by-the-cisco-talos-group"
	],
	"threat_actors": [],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3d5db33dda9c5a6975c58ce9f8bbe3917734926.pdf",
		"text": "https://archive.orkl.eu/e3d5db33dda9c5a6975c58ce9f8bbe3917734926.txt",
		"img": "https://archive.orkl.eu/e3d5db33dda9c5a6975c58ce9f8bbe3917734926.jpg"
	}
}