A free decryption tool is available for Thanatos ransomware victims

ZDNet's Danny Palmer explains the evolution of the world's weirdest ransomware.

A free decryption tool is available for Thanatos ransomware victims

ZDNet's Danny Palmer talks to TechRepublic and CNET Senior Producer Dan Patterson about how a very weird, free decryption tool has helped victims of the Thanatos ransomware attack. The following is an edited transcript of the interview.

Dan Patterson: The Thanatos ransomware started as a crazy moneymaking operation and quickly evolved into a campaign of pure destruction. Now, there's a tool that lets you unlock it for free. But, is this a crazy, weird hacker conspiracy or the next evolution of ransomware. This is a new era of ransomware. Help us explain, understand, what the Thanatos ransomware did and why it was different from other forms of malware.

Danny Palmer: Thanatos first appeared in February this year. It's seemingly named after the Greek God of Death. Whoever is behind it obviously has a weird dark sense of humor, I suppose. It initially started out like most forms of ransomware or so it appeared in that you download a file, you get a ransom note saying hey, we've encrypted your files, give us cryptocurrency. In this case, not Bitcoin but other cryptocurrencies like Etherium and Bitcoin Cash in order to get your files back. Researchers at Cisco Talos, are the ones who provided the free encryption tool, have been looking into the ransomware and have found that in the course of six months it's made, well, under $1000, so it's not been successful in extorting money.

It looks like the attackers behind this have now they've now changed their plans slightly. Not using it to try to make money but just trying to use it to cause destruction. They now just say, you've downloaded a file, in the case it cites in the research it was a Minecraft Bot being distributed by the Discord chat channel, which then says, ha, ha, ha, we've encrypted your files, there's nothing you can do about it, with some obscene language at third intricate measure. And, yeah, just to make people miserable it seemed and search and of course met with trouble.

But now, at least it seems there is a free decryption tool available, which links to this weird piece of ransomware.

SEE: WannaCry: One year later, is the world ready for another major attack? (TechRepublic)

Dan Patterson: So what does this say about the future of this kind of rapidly evolving space of commoditized, still complex, and highly destructive hacker tools?

Danny Palmer: Insurance of ransomware is in kind of a strange space now compared to what it was last year. As we know, there are things at WannaCry which is a big example of a high-profile ransomware attack. Then you also had things like Locky and Server rolling along making lots of money, too, infecting organizations and businesses around the world.

But now it seems the landscape has changed somewhat. Those big names don't really seem to be around anymore. They're replaced by... Not Thanatos because it seems to be a rather small player in this field, but things like SamSam which is... has been making those behind that a lot of money because it seems to rather than spamming randomly like various such ransomware do, SamSam looks for specific targets it knows it could make big money out of.

The recent attacks against the city of Atlanta that was SamSam ransomware and there are cases as well where those behind SamSam have encrypted big, large organizations, industrial systems, hospitals, things like that. Instead of asking for ransoms of... Locky used to ask for a few hundred dollars. This goes on affecting the entire system and they've been demanding tens of thousands of dollars. It's a very lucrative scheme for them and shows that some ransomware actors are putting a lot of thought into what they're doing in order to get the most big bucks they can.

Also see