Thanatos, discovered by MalwareHunterTeam, appends .THANATOS to the names of encrypted files and creates a ransom note named README.txt. Every time a user logs in the ransom note is opened by an autorun key labeled "Microsoft Update System Web-Helper”. Although Thanatos creates a new key for each infected victim, the developers have no way to decrypt victims' files as these keys are not saved anywhere. The current ransom amount is $200 USD accepted in Bitcoin, Ethereum, or Bitcoin Cash and the email address associated with this campaign is thanatos1.1[@]yandex[.]com.

  • Bleeping Computer provides additional information on Thanatos here.
  • The NJCCIC is not aware of any free decryption tools available for Thanatos. However, it may be possible to brute force the encryption key for each file.


Image Source: Bleeping Computer