lolloj - Fotolia

How does Thanatos ransomware decryptor tool restore data?

Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been paid.

When the new Thanatos ransomware first surfaced, it encrypted victims' data -- but since the malware failed to record the encryption key, victims who paid the ransom were still out of luck. Researchers at the Cisco Systems Inc.'s Talos Intelligence Group found a way to break the encryption and create a ransomware decryptor for victims. How were they able to do this, and what protocol should victims follow if they find themselves a victim of ransomware?

Enterprises need to continue to address evolving ransomware attacks as ransomware continues to affect enterprises and individuals at an astounding rate. While some ransomware attacks have gotten significantly more sophisticated, others seem to be riding the wave of attention -- new malware authors are emerging and may not have the technical capabilities of established hackers.

Security research group MalwareHunterTeam initially reported finding the Thanatos ransomware variant in February 2018. Initial analysis indicated that the new malware did not appear to have any notable technical capabilities or features. However, on further analysis, it was found to be even more destructive, as the malware lacked a critical feature: the ability to decrypt ransomed files.

Talos researchers Edmund Brumaghin, Earl Carter and Andrew Williams wrote up their results and created a Thanatos ransomware decryptor program capable of decrypting the affected files, meaning victims can recover their data without paying. The researchers discovered that the malware was delivered to victims as an attachment to messages sent over the Discord voice and text chat platform.

Once the malware is on the endpoint, the victims are often able to recover their data using the ransomware decryptor provided by Talos.

The researchers uncovered details of the ransomware's evolution by looking at multiple samples of the malware. They found that while the failure to produce a decryption key may have initially been the result of a bug, later versions indicate that the attacker had no intention of providing a decryption key even after a ransom was paid.

For earlier versions of Thanatos ransomware, the encryption is based on the number of milliseconds that the infected system has been running. While strong cryptography is difficult for even advanced developers, and using standard cryptography like AES-256 to encrypt a file is a good idea, basing the encryption key on the number of milliseconds a system has been running has limitations. This gave Talos what it needed to create a Thanatos ransomware decryptor tool to recover encrypted data.

When investigating any ransomware attack, it is useful to find out if a decryption tool exists. Defenders should also verify if the files were even encrypted. While in this case, Talos researchers were able to produce a remedy, users should not depend on the security community being able to create a decryptor.

And it goes without saying that the option of paying a ransom to get data back is not always going to produce a positive result. Enterprises must have secure backup systems in place to ensure their data is protected.

Ask the expert:                            
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing