Prometheus Ransomware is an emerging threat in the malware scene, and it has breached 30 business organizations in just four months since it went operational. The strain is somewhat riding on the coattails of another notorious ransomware syndicate, REvil. Prometheus Ransomware was first spotted in the wild in February 2021, and researchers quickly deduced it was a rebuild of another infamous strain named Thanos. Thanos had previously seen action when deployed against government organizations in Africa and the Middle East last year.
The targets of Prometheus Ransomware are varied, and they include government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the U.S., U.K., and a dozen more countries in Asia, Europe, the Middle East, and South America. These attacks have been tracked and reported by Palo Alto Networks’ Unit 42 threat intelligence team.
Like many ransomware operations, Prometheus Ransomware carries out double-extortion tactics on its victims, where it names new victims and leaks data from a Dark Web site. This is often done to put pressure on the target to pay the ransom.
“Prometheus runs like a professional enterprise,” Doel Santos, Unit 42 threat intelligence analyst, said. “It refers to its victims as ‘customers,’ communicates with them using a customer service ticketing system that warns them when payment deadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment deadline.”
Unit 42 discovered just 4 of the 30 affected organizations opted to pay the ransom to date. These include a Peruvian agricultural company, a Brazilian healthcare services provider, and two transportation and logistics organizations in Austria and Singapore.
Manufacturing was the most impacted industry among the victim organizations observed by researchers, closely followed by the transportation and logistics industry.
Prometheus Ransomware has strong links to Thanos, yet the gang claims to be a “group of REvil.” The REvil gang is one of the most infamous ransomware-as-a-service (RaaS) cartels in recent years. Researchers are speculating that this could be an attempt to deflect attention from Thanos or a deliberate ploy to trick victims into paying up by piggybacking on an established operation.
Prometheus Ransomware attack vector is unclear currently, though it is expected the gang targets networks by using spear-phishing attacks. Following a successful compromise, the Prometheus modus operandi involves terminating backup and security software-related processes on the system to lock the files behind encryption barriers.
“The Prometheus ransomware operators generate a unique payload per victim, which is used for their negotiation site to recover files,” Santos said, adding the ransom demand ranges anywhere between $6,000 and $100,000 depending on the victim organization, a price that gets doubled if the victim fails to pay up within the designated time period.
Prometheus Ransomware Analysis
Note: This analysis was carried out by Doel Santos of Unit 42.
When Prometheus ransomware is executed, it tries to kill several backups and security software-related processes, such as Raccine, a ransomware prevention tool that tries to stop ransomware from deleting shadow copies in Windows.
Prometheus ransomware appends an extension using the following format .[XXX-XXX-XXXX]. Unit 42 found that the extensions are hardcoded into the sample. They believe that the Prometheus ransomware operators generate a unique payload per victim, which is used for their negotiation site to recover files. Researchers obfuscated the extensions because they could be used to identify the victims on the leak site. Prometheus also adds an hexadecimal string of GotAllDone at the end of all encrypted files.
After the backup and security processes are terminated and encryption is complete, Prometheus ransomware drops two ransom notes: a RESTORE_FILES_INFO.TXT file and a RESTORE_FILES_INFO.TXT.hta file , both containing the same information.
The ransom note also includes instructions for contacting Prometheus ransomware operators to recover files, as well as informing the victim that, if the demands are not met, the threat actors will release the data to the public or sell it to a third party.
Since the extensions are used as a victim identifier, by following the instructions on the ransom note, we were able to take a look at the negotiation part of their site using the extensions ID to gain access. Interestingly, this group uses a ticketing system for tracking victims. The tickets include a tracking ID, created date, resolution status and priority. A victim can even open a ticket with the threat actors to request data recovery – though this will cost you extra, according to the site.
The Prometheus ransomware operators include a status per victim. Unit 42 found that some of the information posted on the leak site has already been sold to an unknown third party. There are also posts showing that victims within impacted industries paid the ransom and their data was removed from the site.
Malware is an ever-present threat for governments, businesses, and homes. It is important to also have the tools necessary for protection against threats at any level. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.