ThanatosDecryptor is a command-line utility intended to help you decrypt files encrypted by the Thanatos malware.

When your machine is infected by the Thanatos ransomware filename extensions are modified to .THANTOS and you will get a ransom note whenever you attempt to logon to the machine. The ransom note directs you to send the ransom to a cryptocurrency wallet address to facilitate file decryption.

This is a particularly nasty little bit of ransomware for sure. Even if you pay the ransom, it is likely that your data will not be returned because it utilizes a different encryption key on each file located on the infected machine without actually storing them anywhere making it a lost cause for the cybercriminal to return your data even if they were honorable thieves.

File types currently supported include:

Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
Video: .mpg, .mpeg, .mp4, .avi
Audio: .wav
Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
Other: .zip, .7z, .vmdk, .psd, .lnk
In order to decrypt files as quickly as possible, ThanatosDecryptor should be run on the original machine infected with the malware, and against the original .THANATOS files that it created.

ThanatosDecryptor has been tested against versions 1 and 1.1 of the malware. Known malware sample hashes include:

55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70 97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e 8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401 bad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5 02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085 fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9