Thanatos

Thanatos, discovered by MalwareHunterTeam, appends .THANATOS to the names of encrypted files and creates a ransom note named README.txt. Every time a user logs in the ransom note is opened by an autorun key labeled "Microsoft Update System Web-Helper”. Although Thanatos creates a new key for each infected victim, the developers have no way to decrypt victims' files as these keys are not saved anywhere. The current ransom amount is $200 USD accepted in Bitcoin, Ethereum, or Bitcoin Cash and the email address associated with this campaign is thanatos1.1[@]yandex[.]com.

UPDATE 8/30/2018: A new version appends .PICO to the names of encrypted files and creates a ransom note named README.txt.

  • Bleeping Computer provides additional information on Thanatos here.
  • A decryption tool for Thanatos is available on GitHub, here.

 

Image Source: Bleeping Computer