The Prometheus ransomware first appeared in February of this year. The criminals behind this operation not only encrypt the networks and demand a ransom for the decryption key, but they also use a double extortion technique, threatening to disclose the stolen data if the requested ransom is not paid.
Analysis by cybersecurity researchers at Palo Alto Networks shows that, like many ransomware operations in 2021, the group operates like a professional business, even going so far as to label victims of cyberattacks as “customers”, and communicating with them. they via a ticket system.
Over 30 victims, but only four paid the ransom
The cybercriminals behind Prometheus claim to have affected more than 30 victims worldwide so far, including organizations in North America, Europe and Asia. Among the sectors Prometheus claims to have touched are public administration, financial services, industry, logistics, consulting, agriculture, health services, insurance, energy and law.
However, according to Palo Alto, the group’s leak site shows that only four victims have paid to date: a Peruvian agricultural company, a Brazilian health service provider and transport and logistics organizations in Austria and Singapore, according to Palo Alto.
One of the hallmarks of Prometheus is to use the branding of another ransomware group in its infrastructure, branding itself as the “Group of REvil”, on the ransom note as well as on its communications platforms.
Prometheus would use the REvil “brand”
REvil is one of the most infamous and successful ransomware operations, claiming a series of prominent victims. The FBI recently attributed the ransomware attack on meat processor JBS to this group, which is believed to be operating from Russia.
However, despite the use of the name REvil, there does not appear to be a connection between the two operations. It is in fact likely that Prometheus is attempting to use the name of an established criminal operation in order to increase its chances of victims paying the ransom.
“Since there is no strong link other than the name reference, our theory is that they use the REvil name to increase their chances of getting paid. If you search REvil, the headlines will speak for themselves, while a search for Prometheus ransomware probably wouldn’t have yielded anything major, ”Doel Santos, Threat Intelligence Analyst at told . Unit 42 of Palo Alto Networks.
Links between Thanos and Prometheus
The researchers note, however, that the operation has strong links to the Thanos ransomware, which first appeared for sale on underground forums in the first half of 2020. Its behavior and infrastructure are almost identical to that of Prometheus, which could suggest that Thanos and Prometheus are run by the same group of criminals.
While researchers have not been able to identify the exact method by which Prometheus is transmitted to victims, Thanos is known to be distributed by purchasing access to networks that have previously been compromised by malware, by attacks. by brute force against commonly used passwords and by phishing attacks.
After compromising victims with ransomware, Prometheus tailors the ransom to the target, with demands ranging from $ 6,000 to $ 100,000. The amount is doubled if the victim does not pay during the week. The ransom is demanded in Monero, because transactions are less likely to be detected, or goods seized by law enforcement, than in bitcoin.
Multifactor authentication as a shield
The group appears to be still active and they should continue as long as their attacks remain profitable. “As long as Prometheus continues to target vulnerable organizations, it will continue to campaign,” says Doel Santos. “In the future, the group should add new victims to its leak site, and modify its techniques if necessary,” he adds.
Prometheus, like other ransomware groups, relies on breaching user accounts to gain a foothold in networks. Thus, the best way to protect yourself, especially for organizations, is to use multifactor authentication.
Deploying this method to all users constitutes an additional barrier to cyber attacks, and makes it more difficult for cybercriminals to exploit stolen credentials as a starting point for ransomware campaigns.