A relatively new double extortion ransomware operation called Prometheus is making waves among organisations in the government, financial services, manufacturing, logistics, consulting, farming, healthcare, insurance, energy and legal sectors, and has claimed multiple victims on a global basis, according to research collated by Palo Alto Networks’ Unit 42 team.
Apparently a new variant of a well-known ransomware called Thanos, which has been sold on dark web forums for well over a year at this point, Prometheus first popped up in February of this year. According to Unit 42’s Doel Santos, it has now hit 30 victims, with Santos adding that Prometheus’ rapid ascent was a source of interest.
“We’ve compiled this report to shed light into the threat posed by the emergence of new ransomware gangs like Prometheus, which are able to quickly scale up new operations by embracing the ransomware-as-a-service [RaaS] model, in which they procure ransomware code, infrastructure and access to compromised networks from outside providers. The RaaS model has lowered the barrier to entry for ransomware gangs,” wrote Santos in a disclosure blog published this week.
“Only four victims have paid to date, according to the group’s leak site. It claims that a Peruvian agricultural company, a Brazilian healthcare services provider, and transportation and logistics organisations in Austria and Singapore paid ransoms. However, we’re unable to confirm the ransom amounts,” he said.
Interestingly, its operators claim to be affiliated somehow with the ReVIL or Sodinokibi group, although Santos said he had found no solid connection between the two. He suggested that the Prometheus crew may be trying to fly on ReVIL’s coat-tails to some extent, using their infamy to increase the chance of a pay-out.
Santos said that like many other current ransomwares, Prometheus runs itself with an air of pseudo-professionalism, referring to victims as customers, and using a customer service ticketing system for negotiations.
Like others – such as Conti – Prometheus’ operators research their targets ahead of time to tailor their ransom demands. From the available information, ransoms have ranged from $6,000 to $100,000, payable in the monero cryptocurrency. The initial demand tends to be doubled if the victims do not respond within a week.
At the time of writing, he added, there is little intelligence on how the Prometheus payload is delivered to its victims, but it may well be via brute forcing credentials, buying privileged access, or spear phishing.
More details of the gang’s operation, including indicators of compromise (IoCs) and relevant tactics, techniques and procedures, can be read here.
