Thanatos Ransomware – an analysis by Quick Heal Security Labs
Credit to Author: Shriram Munde| Date: Thu, 22 Feb 2018 09:04:02 +0000
Quick Heal Security Labs has come across a new ransomware with AES encryption technique that demands 0.01 Bitcoin as a ransom after encrypting the victim’s files. It’s known as Thanatos Ransomware. Thanatos is a type of a Trojan malware that spreads through malicious advertisements, phishing sites, spam emails, freeware and cracked software. In spam emails, the ransomware arrives with macro embedded attachments like PDF, Zip, Word or Doc. Opening such a file triggers the encryption. Workflow of Thanatos On execution, it checks for the presence of Avenues Power Desk software, Corel software, debuggers, Lotus software, Microsoft PowerPoint, and Star Office software. After the successful execution, it dropped the following artifacts onto the machine: Exe file – ‘<%appdata%/random_folder/random.exe> ‘ Registry – ‘usercurrentsoftwareMicrosoftWindowsCurrentVersionRunDO_NOT_DELETE_THIS = C:WindowsSystem32notepad.exe C:UsersDesktopREADME.txt’ The .exe file starts the encryption activity as soon as it is dropped on the infected system. Fig 1. Thanatos’ ransom note After encryption, it appends an extension .THANATOS to the encrypted file and drops the encryption marker file ‘README.txt’. README.TXT will pop up every time the user reboots the system because of the autorun registry dropped by the malware. Thanatos, on completion of encryption, deletes its process from the memory. How Quick Heal protects its users from the Thanatos Ransomware Quick Heal works on multiple levels to protect its users from this threat. These levels include: Virus Protection Behaviour-based Detection Anti-Ransomware Fig 2. Anti-Ransomware Tool Fig 3. Behaviour Detection Tool Fig 4. Virus Protection How to stay safe from ransomware attacks Files encrypted by this ransomware are hard to decrypt as the ransomware uses a different key for each file, which is generated locally. Therefore, users are advised not to pay any ransom. Follow these safety measures: Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data. Never install any freeware or cracked versions of any software. Do not open any advertisement pages shown on websites without knowing that they are genuine. Disable macros while using MS Office. Always install and update your anti-virus to protect your system from unknown threats. Indicators of compromise MD5: – 681211a7b964eaffd13e0610d82a25e7 Subject Matter Experts Shalaka Patil | Quick Heal Security Labs The post Thanatos Ransomware – an analysis by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/