This new ransomware group claims to have breached over 30 organisations so far

Prometheus ransomware uses branding of REvil in attempt to piggyback on the fame of one of the most infamous - and successful - ransomware groups.
Written by Danny Palmer, Senior Writer

An emerging ransomware operation appears to have links to a veteran cyber-criminal group in the space – while also attempting to piggyback on the reputation of one of the most notorious forms of ransomware.

Prometheus ransomware first emerged in February this year and not only do the criminals behind it encrypt networks and demand a ransom for the decryption key, they also use double extortion tactics and will threaten to leak stolen data if their demands for cryptocurrency aren't met.

Analysis by cybersecurity researchers at Palo Alto Networks details how, like many ransomware operations in 2021, the group runs like a professional enterprise, even going so far as to refer to victims of cyberattacks as "customers" and communicating with them via a ticketing system.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The cyber criminals behind Prometheus claim to have hit over 30 victims around the world so far, including organisations in North America, Europe and Asia. Sectors Prometheus claims to have hit include government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law. 

However, only four victims have paid to date, according to the group's leak site that claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms, Palo Alto said.

One notable trait of Prometheus is that it uses the branding of another ransomware group across its infrastructure, claiming to be 'Group of REvil' on the ransom note and across its communication platforms.

REvil is one of the most infamous and most successful ransomware operations, claiming a string of high-profile victims. The FBI recently attributed the ransomware attack against meat processor JBS to the group, which is believed to work out of Russia.

However, despite the use of REvil's name, there doesn't appear to be any link between the two operations – and it's likely that Prometheus is attempting to use the name of an established criminal operation in order to increase its chance of receiving a ransom payment.

"Since there is no solid connection other than the reference of the name, our running theory is that they are leveraging the REvil name to increase their chances of securing payment. If you search for REvil, the headlines are going to speak for themselves versus searching Prometheus ransomware where probably nothing major would've come up," Doel Santos, threat intelligence analyst at Unit 42, Palo Alto Networks, told ZDNet.

Researchers note the operation does have strong links to Thanos ransomware.

Thanos ransomware first emerged for sale on underground forums in the first half of 2020 but the behaviour and infrastructure of it is almost identical to Prometheus, which could suggest that Thanos and Prometheus are run by the same group of criminals.

SEE: This company was hit by ransomware. Here's what they did next, and why they didn't pay up

While researchers haven't been able to identify the exact method Prometheus is delivered to victims, Thanos is known to be distributed with the aid of buying access to networks that have previously been compromised with malware, brute-force attacks against commonly used passwords and phishing attacks.

After compromising victims with ransomware, Prometheus tailors the ransom depending on the target, with demands ranging from $6,000 to $100,000 – a figure that's doubled if the victim doesn't pay within a week.

The ransom is demanded in Monero, rather than Bitcoin, a decision likely made because Monero transactions are more difficult to track than Bitcoin – so there's less chance of the group being detected or their assets seized by law enforcement operations.

It's believed that the group is still active and will continue as long as attacks remain profitable.

"As long as Prometheus keeps targeting vulnerable organizations, it will keep running campaigns," said Santos. "Going forward we would expect this group to keep adding victims to their leak site, and change their techniques as needed," he added.

Given how Prometheus and other ransomware groups often rely on breaching user accounts to embed themselves on networks, one thing that organisations can do to help protect against ransomware attacks is use multi-factor authentication.

Deploying this to all users provides an additional barrier to attacks, making it harder for cyber criminals to exploit stolen credentials as a starting point for ransomware campaigns.


Editorial standards