.THANATOS File Ransomware Virus – How to Remove and Restore Files

.THANATOS File Ransomware Virus – How to Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to help explain what is Thanatos ransomware virus and how to restore files encrypted by it, containing the .THANATOS file suffix added to them.

The .THANATOS ransomware is the type of infection you do not want on your computer. The malware is from the ransomware kind, meaning that it’s primary purpose is to encrypt the files on your computer and make them no longer able to be opened, at least until a hefty ransom fee has been paid to the cyber-criminals who are behind the infection. The ransomware demands a $200 US ransom in either BitCoin, Ethereum or BitCoin cash and if your computer has been infected by it, we recommend that you read the following article to learn how to remove it and restore files, encrypted by this malware on your computer.

Threat Summary

Name.THANATOS Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers infected by it and asks victims to pay $200 in cryptocurrencies to get them decrypted.
SymptomsFiles are no longer able to be opened and now contain the .THANATOS file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .THANATOS Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .THANATOS Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.THANATOS Files Virus – How Did I Get infected

The primary method by which your computer could have gotten infected by this ransomware infection is via opening an e-mail spam message’s attachment. Most cyber-crooks take up to spread massive spam campaigns whose primary purpose is to deceive inexperienced users to open malicious attachments, making it seem like they are documents of great importance, like the fake e-mail in the example below shows:

In addition to via spam e-mails, the .THANATOS ransomware may also spread via other malicious files, that are uploaded directly on suspicious websites or even torrent sites. The most often disguised files are believed to be:

  • Fake setups of programs or games.
  • Fake game patches, cracks or key generators.
  • Fake software license activators.

.THANATOS Files Virus – More Information and Activity

Once an infection with this ransomware virus takes place, it immediately employs a resource fork which contains all of the malicious commands within. This specific infection method is used to obfuscate the malicious files from any protection software or against reverse engineering. Security researchers believe that the .THANATOS files virus also has information extraction modules embedded within it, and these also aim to query your OS’s kernel. In addition to this, the Thanatos ransomware’s engine can also check if specific Windows processes are actively running on your computer and take actions towards ending those tasks. Futhermore, this infection also has the ability to detect any sandbox environments, debuggers as well as check if it’s running on a virtual machine and delete itself if o.

Once Thanatos ransomware has infected a computer, the malware modifies the following Windows Registry sub-key adding entries to run ‘Microsoft Update System Web-Helper’ and README.txt to run automatically:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Microsoft Update System Web-Helper” = “C:\Windows\System32\notepad.exe %UserProfile%\Desktop\README.txt”

The ransom note of .THANATOS, is named README.txt and it aims to scare the victims off into paying ransom. What is particularly interesting about it is that this variant of Thanatos is the first ransomware to ask a ransom payoff in BitCoin Cash:

________ _____ _ _____ __________ _____
/_ __/ / / / | / | / / |/_ __/ __ \/ ___/
/ / / /_/ / /| | / |/ / /| | / / / / / /\__ \
/ / / __ / ___ |/ /| / ___ |/ / / /_/ /___/ /
/_/ /_/ /_/_/ |_/_/ |_/_/ |_/_/ \____//____/

Thanatos v1.1

Your files was encrypted. To decrypt your files,
follow next steps:

1. Send $200 to one of these wallets:
BTC: 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh
ETH: 0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef
BCH: qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

2. Send your TXID and your MachineID to mail
E-Mail: thanatos1.1@yandex.com
Machine ID: {ID HERE}

Do not waste your time, files can only be
decrypted by our decode tool.

In addition to the ransom note, the Thanatos ransomware also has information stealing ability and it uses it to steal a lot of data from the computers infected by this virus and this information can even include:

  • Passwords and logins.
  • Your IP address and System Language.
  • What antivirus software is installed on your computer system.

But the Thanatos ransomware’s primary purpose is to encrypt the files and when it does this, the malware does not leave a private decryption key behind, which means that even if you pay the ransom, there is a real chance that the cyber-crooks won’t be able to decrypt your files.

Thanatos Ransomware – Encryption Process

In order to encrypt the files on your computer system, THANATOS ransomware generates a new encryption key for each of the files that have been encrypted by the virus. As stated above, the virus does not save ay corresponding decryption keys, making it virtually impossible to decrypt the files, since the likely algorithm used requires a separate key for each file’s decryption and those cannot be found, even in an encrypted format. The files which may be encrypted by the .THANATOS files virus are believed to be the following types of files:

  • Videos.
  • Images.
  • Audio files.
  • Backups.
  • Documents.
  • Archives.

The encryption process is conducted in the following way – the virus detects the file, replaces key data from the encrypted file, making it no longer usable. The virus then adds the .THANATOS file extension, making the files appear like the following image shows:

Remove Thanatos Ransomware and Restore .THANATOS Encrypted Files

In order to remove this ransomware infection from your computer, reccomendations are to follow the removal instructions underneath this article. They are divided in manual and automatic removal instructions and if you do not feel confident in removing this ransomware infection manually, we recommend that you do the removal process automatically, preferably by downloading an advanced anti-malware software, as experts often advise doing. Such will automatically clean your computer from all of the malicious objects, related to .THANATOS files virus and make sure that your computer system stays protected in the future as well.

If you want to restore your files in the event that they have been encrypted by this ransomware infection, we advise you to follow the file recovery instructions in step ‘2. Restore files encrypted by .THANATOS Files Virus’ below. They may not be 100% guarantee you will be able to restore all your data, but they are a helpful method, allowing you to recover at least some of the files, if you haven’t formatted your drive.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share