Hackers stumble in ransomware strain Thanatos

There may be hope for ransomware victims whose filesystems are destroyed by Thanatos, according to Cisco.
28 June 2018

Everyone makes mistakes, even hackers. Source: Pexels

Even the hackers are human it appears. Researchers at San Francisco-based Cisco have analyzed a piece of popular ransomware, Thanatos, and found a flaw in the design.

The file encryption method contained errors, making it is relatively easy to decrypt affected filesystems. The research team was able to develop a ransomware decryption tool which helps victims of attacks recover their files without having to pay out.

Ransomware, for those lucky enough never to have been affected, encrypts the entire filesystem of a targeted machine and presents users with a demand for cash in order for their files to be released.

Whether or not decryption actually ever takes place remains moot — creators of ransomware are not particularly renowned for the weight of their consciences or positive moral attitudes.

According to a blog post published on Cisco Talos by researchers Edmund Brumaghin, Earl Carter and Andrew Williams:

“Multiple versions of Thanatos have been leveraged by attackers, indicating that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild. Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.”

Due to the evolving nature of this threat in the wild, it can’t safely ever be judged that paying the ransom will (either by accident or design) result in files being decrypted.

In all the samples used by the research team, only a single Bitcoin wallet address was used, and the payment method required appears to be manual and based on email.

This suggests that the authors behind the particular strain examined were so-called “script kiddies” — would-be hackers who utilize malware scripts from the wild, often with little understanding of the underlying technologies. Cold comfort, however, for victims.

The loophole in the encryption methods also points to this lesser level of coding ability:

“Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection,” the researchers stated.

“At an average of 100,000 brute-force attempts per second (which was the baseline in a […] machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.”

The malware in question appears to have been distributed via the Discord chat platform and manifested itself as a Minecraft mod (a modification file used to change some element of the popular game, Minecraft). Discord is a platform beloved of the gaming community and is often run in a window alongside gaming screens in order to allow participants an independent chat channel while involved in a game online.

While most organizations would frown upon activity like gaming taking place in the workplace, the BYOD nature of many organizations’ IT means that infected devices are often brought into an organization from employees’ homes and joined to commercial networks.

Organizations wishing to protect themselves from this strain of Thanatos may download the decryption tool from here. The full blog post from Cisco Talos is available here.

Those wishing to protect themselves in a broader sense from this type of threat might begin by searching this site for the term “endpoint”, as in “endpoint protection”; the specific type of cybersecurity measure which can help ameliorate against ransomware.