Prometheus ransomware: A group of REvil?


Share

Unit 42 has spent the past four months following the activities of Prometheus, a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.

Key findings:
  • Prometheus advertises itself as a “group of REvil”, yet Unit 42 found no evidence linking the two groups together. Instead, Unit 42 discovered that Prometheus shares infrastructure with ransomware veteran Thanos.
  • Prometheus adopts a Ransomware-as-a-Service (RaaS) model and runs like a business, referring to its victims as “customers” and communicates with them using a customer-service ticketing system that warns them when payment deadlines are approaching.
  • 30 organizations impacted globally in government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the United States, United Kingdom and a dozen more countries in Asia, Europe, the Middle East and South America (including Brazil).
  • 4 organizations paid ransoms, including a Peruvian agricultural company, a Brazilian healthcare services provider as well as transportation and logistics organizations in Austria and Singapore paid ransoms. However, Unit 42 is unable to confirm the ransom amounts.
  • Manufacturing was the most targeted industry with 5 organizations impacted, which is the latest example of ransomware gangs targeting the industrial sector — with the Colonial Pipeline and JBS ransomware attacks dominating headlines in recent weeks.

Prometheus leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase. It claims to have breached 30 organizations in government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the United States, United Kingdom and a dozen more countries in Asia, Europe, the Middle East and South America.

Like many ransomware gangs, Prometheus runs like a professional enterprise. It refers to its victims as “customers,” communicates with them using a customer-service ticketing system that warns them when payment deadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment deadline.

“We are closing the ticket and have started an auction on your data,” the group threatens when victims fail to pay up. But there’s an out: Victims can click to open a new “ticket” if they’re willing to pay up to stop the auction and recover their data.

Only four victims have paid to date, according to the group’s leak site. It claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms. However, we’re unable to confirm the ransom amounts.

One interesting note is that Prometheus claims to be part of the notorious ransomware gang REvil. Unit 42 has seen no indication that these two ransomware gangs are related in any way. The claim may be an attempt to exploit REvil’s name to persuade victims to pay up, or it could be a false flag to take attention away from Thanos. 

We’ve compiled this report to shed light into the threat posed by the emergence of new ransomware gangs like Prometheus, which are able to quickly scale up new operations by embracing the ransomware-as-a-service (RaaS) model, in which they procure ransomware code, infrastructure and access to compromised networks from outside providers. The RaaS model has lowered the barrier to entry for ransomware gangs.


Leave a reply