'ThanatosDecryptor' to restore encrypted files free of charge to Ransomware 'Thanatos'

Ransomware is known as a ransom request-type malware that encrypts files stored in a computer in a state that can not be read and attackers recover files in exchange for ransom payment due to virtual currency or the like. There was a problem that the encryption process of "Thanatos" of Ransomware was problematic and it was not possible to restore files. Talos , Cisco 's security division, has solved the encryption process of Thanatos, and has published a tool " ThanatosDecryptor " for recovering Thanatos encrypted files to GitHub.

Cisco's Talos Intelligence Group Blog: Files Can not Be Decrypted? Challenge Accepted. Talos Releases Thanatos Decryptor
https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html

Free Thanatos Ransomware Decryption Tool Released
https://thehackernews.com/2018/06/free-ransomware-decryption-tools.html

Like Thanatos encrypts files in the computer like other Ranthersware, it requests the owner of the computer to pay ransom with the virtual currency Bitcoin Cash etc. An attacker who confirmed the payment of ransom is a mechanism of unlocking the encryption applied to the file in the corresponding computer. However, Thanatos had difficulties in encrypting files, and there was a problem that could not be solved even if an attacker tried to unlock encryption, and there were cases in which it was not possible to recover by paying ransom.

However, Talos who analyzed internal processing of Thanatos has found that key information for encrypting the file is calculated from the operating time (in milliseconds) of the OS. Since Thanatos's attack target is a Windows machine, since the operating time information of the system is recorded in 32 bits in terms of the OS specification, it is also clear that Thanatos uses the same 32-bit key length for file encryption It was.

The information on the system operating time of Windows will be reset from the 32 bit limitation after 49.7 days, but if it is a PC or server that correctly applies the Windows monthly patch and properly restarts it, 49.7 It will not take any restrictions on days. From these facts, Talos can determine the value of the system uptime used by Thanatos for file encryption from the operating time recorded in the Windows event log and the last modified date of the file actually encrypted I thought.

Then, Talos developed a method to narrow down the range of decryption keys necessary to solve file encryption from the information of the system operation time found, and to search for the key value by performing round-robin search from within the applicable range. According to Talos, it is possible to recover files in about 14 minutes in the environment used for testing.

Talos has released "ThanatosDecryptor", which is a tool for deactivating file encryption by Thanatos, on GitHub , and anyone can use it free of charge.