As previously described, the encryption keys used to encrypt files on victims' systems are derived based upon the number of milliseconds since the system last booted. This value is a 32-bit number, meaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of milliseconds that can be stored in a 32-bit value is roughly 49.7 days' worth, which is higher than the average amount of uptime on many systems due to patch installation, system reboots, and other factors. This makes brute-forcing the key values significantly cheaper from a time perspective.
Another optimization can be made based on the fact that the system uptime is written to the Windows Event Log roughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.
Talos is releasing a decryption
utility that can be leveraged by victims of Thanatos to attempt to regain access to data and files stored on the infected system. It has been tested on Versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples Talos has observed.
Note: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine that was infected and against the original encrypted files that the malware created.
This decryption utility currently supports decryption of the following types of files:
Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
Video: .mpg, .mpeg, .mp4, .avi
Audio: .wav
Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
Other: .zip, .7z, .vmdk, .psd, .lnk
The decryptor first searches the same directories as the ransomware to identify files that contain the .THANATOS file extension. For files that contain the .THANATOS file extension, the decryptor will then obtain the original file extension, which is left intact during infection, and compare it to the list of supported file types. If the file type is supported, the decryptor will then queue that file for decryption.
ThanatosDecryptor also parses the Windows Event Log for uptime messages and uses the encrypted file creation time metadata to determine a starting value for decryption. This value is used to derive an encryption key, and an AES decryption operation is performed against the file contents. The resulting bytes are then compared against values known to be valid file headers for the specific file type. If they do not match, meaning the decryption process was unsuccessful, the seed value for the encryption key is then incremented, and the process is repeated. Once successful, the original file is written to the file system, and the original filename is restored. Once one file has been successfully decrypted, ThanatosDecryptor uses the seed value from that decryption attempt as the starting point for decryption attempts against additional files since they are likely to be very similar.
To execute ThanatosDecryptor, simply download the ThanatosDecryptor project
here and execute ThanatosDecryptor.exe, which can be found in the release directory.