{"id":85851,"date":"2018-02-22T14:34:02","date_gmt":"2018-02-22T09:04:02","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85851"},"modified":"2018-02-22T19:09:09","modified_gmt":"2018-02-22T13:39:09","slug":"thanatos-ransomware-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/thanatos-ransomware-analysis-quick-heal-security-labs\/","title":{"rendered":"Thanatos Ransomware \u2013 an analysis by Quick Heal Security Labs"},"content":{"rendered":"<p>Quick Heal Security Labs has come across a new ransomware with AES encryption technique that demands 0.01 Bitcoin as a ransom after encrypting the victim\u2019s files. It\u2019s known as Thanatos Ransomware.<\/p>\n<p>Thanatos is a type of a Trojan malware that spreads through malicious advertisements, phishing sites, spam emails, freeware and cracked software.<\/p>\n<p>In spam emails, the ransomware arrives with macro embedded attachments like PDF, Zip, Word or Doc. Opening such a file triggers the encryption.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Work flow of Thanatos<\/strong><\/p>\n<p>On execution, it checks for the presence of Avenues Power Desk software, Corel software, debuggers, Lotus software, Microsoft PowerPoint, and Star Office software.<\/p>\n<p>After the successful execution, it dropped the following artifacts onto the machine:<\/p>\n<blockquote><p>Exe file &#8211; \u2018&lt;%appdata%\/random_folder\/random.exe&gt; \u2018<\/p>\n<p>Registry &#8211; \u2018user\\current\\software\\Microsoft\\Windows\\CurrentVersion\\Run\\DO_NOT_DELETE_THIS = C:\\Windows\\System32\\notepad.exe C:\\Users\\Desktop\\README.txt\u2019<\/p><\/blockquote>\n<p>The .exe file starts the encryption activity as soon as it is dropped on the infected system.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-85852\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/1-1.png\" alt=\"\" width=\"761\" height=\"222\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/1-1.png 761w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/1-1-300x88.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/1-1-650x190.png 650w\" sizes=\"(max-width: 761px) 100vw, 761px\" \/><\/p>\n<p style=\"text-align: center;\">Fig 1. Thanatos\u2019 ransom note<\/p>\n<p>After encryption, it appends an extension .<strong>THANATOS<\/strong> to the encrypted file and drops the encryption marker file \u2018README.txt\u2019.<\/p>\n<p>README.TXT will pop up every time the user reboots the system because of the autorun registry dropped by the malware.<\/p>\n<p>Thanatos, on completion of encryption, deletes its process from the memory.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>How Quick Heal protects its users from the Thanatos Ransomware<\/strong><\/p>\n<p>Quick Heal works on multiple levels to protect its users from this threat. These levels include:<\/p>\n<ul>\n<li>Virus Protection<\/li>\n<li>Behaviour-based Detection<\/li>\n<li>Anti-Ransomware<\/li>\n<\/ul>\n<figure id=\"attachment_85853\" aria-describedby=\"caption-attachment-85853\" style=\"width: 322px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85853 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/2-1.png\" alt=\"\" width=\"322\" height=\"185\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/2-1.png 322w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/2-1-300x172.png 300w\" sizes=\"(max-width: 322px) 100vw, 322px\" \/><figcaption id=\"caption-attachment-85853\" class=\"wp-caption-text\">Fig 2. Anti-Ransomware Tool<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_85854\" aria-describedby=\"caption-attachment-85854\" style=\"width: 322px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85854 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/3-1.png\" alt=\"\" width=\"322\" height=\"185\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/3-1.png 322w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/02\/3-1-300x172.png 300w\" sizes=\"(max-width: 322px) 100vw, 322px\" \/><figcaption id=\"caption-attachment-85854\" class=\"wp-caption-text\">Fig 3. Behaviour Detection Tool<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_85855\" aria-describedby=\"caption-attachment-85855\" style=\"width: 298px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85855 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/02\/4-1.png\" alt=\"\" width=\"298\" height=\"160\" \/><figcaption id=\"caption-attachment-85855\" class=\"wp-caption-text\">Fig 4. Virus Protection<\/figcaption><\/figure>\n<p><strong>How to stay safe from ransomware attacks<\/strong><\/p>\n<p>Files encrypted by this ransomware are hard to decrypt as the ransomware uses a different key for each file, which is generated locally. Therefore, users are advised not to pay any ransom. Follow these safety measures:<\/p>\n<ul>\n<li>Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.<\/li>\n<li>Never install any freeware or cracked versions of any software.<\/li>\n<li>Do not open any advertisement pages shown on websites without knowing that they are genuine.<\/li>\n<li>Disable macros while using MS Office.<\/li>\n<li>Always install and update your anti-virus to protect your system from unknown threats.<\/li>\n<\/ul>\n<p><strong>Indicators of compromise<\/strong><\/p>\n<p>MD5: &#8211; 681211a7b964eaffd13e0610d82a25e7<\/p>\n<p><strong>Subject Matter Expert<\/strong><\/p>\n<p>Shalaka Patil | Quick Heal Security Labs<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quick Heal Security Labs has come across a new ransomware with AES encryption technique that demands 0.01 Bitcoin as a ransom after encrypting the victim\u2019s files. It\u2019s known as Thanatos Ransomware. Thanatos is a type of a Trojan malware that spreads through malicious advertisements, phishing sites, spam emails, freeware and cracked software. In spam emails, [&hellip;]<\/p>\n","protected":false},"author":39,"featured_media":85868,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-85851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85851"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85851"}],"version-history":[{"count":16,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85851\/revisions"}],"predecessor-version":[{"id":85873,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85851\/revisions\/85873"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85868"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}