An emerging ransomware company appears to be affiliated with a veteran cybercriminal group, seeking to gain a reputation as one of the most notorious forms of ransomware. This is Prometheus ransomware who first appeared him February of this year. The cybercriminals behind it not only encrypt networks and require victims to ransom to give a decryption key, but also use double blackmail tactics and threaten to leak the stolen data, if their requests for payment of ransom in cryptocurrencies are not met.
The analysis by its security researchers Palo Alto Networks reports how, like many ransomware companies in 2021, Prometheus's business operates as a business, even to the extent that it refers to cyber-victims as "customers" and communicates with them through a system ticketing.
Cybercriminals behind Prometheus claim to have been "hit" over 30 organizations worldwide so far, including resident organizations in Europe, North America and Asia. They also report that among their victims are included governments, insurance services, financial services, as well as the construction, supply, consulting, agriculture, healthcare, legal and energy sectors.
However, only four victims have so far paid the ransom required, according to the group 's leak site, which claims that a Peruvian agricultural company, a Brazilian healthcare provider and transport and logistics agencies in Austria and Singapore paid a ransom.
A notable feature of Prometheus ransomware is that it uses the name of another ransomware group, claiming to be its ransomware group. REvil on ransom note and on all its communication platforms.
REvil is one of the most notorious and successful ransomware companies, listing numerous high-profile victims. The FBI recently attributed the ransomware attack to meat supplier JBS to the group, which is believed to be operating outside Russia.
However, despite the use of the REvil name, there does not appear to be a connection between the two companies. Prometheus may also attempt to use the name of an established criminal enterprise to increase the likelihood of ransom.
The researchers also point out that this company has strong "ties" with Thanos ransomware. Thanos ransomware first appeared in an underground forum first half of 2020, but its behavior and infrastructure are almost identical to those of Prometheus, which could suggest that Thanos and Prometheus are run by the same group of cybercriminals.
While researchers have not been able to determine the exact method by which Prometheus is distributed to victims, Thanos is known to be distributed by accessing networks that have been previously compromised. with malware, brute-force password attacks, and phishing attacks.
After hitting the victims with ransomware, the cybercriminals of Prometheus adjust the ransom according to purpose, with their demands ranging from $ 6.000 to $ 100.000 - amounts doubled if the victim does not pay within a week.
Ransom is required in Monero and not in Bitcoin, a decision that was probably made because Monero trades are more difficult to track than Bitcoin - so the group is less likely to be located or its assets confiscated by law enforcement.
It is believed that the team is still active and will continue as long as the attacks remain profitable.
Given how Prometheus and other ransomware groups typically rely on hacking user accounts to break into networks, one thing organizations can do to protect themselves from such attacks is to use Multi-factor authentication (MFA).
Deploying this to all users provides one additional barrier to attacks, making it harder for cybercriminals to exploit stolen credentials as a starting point for ransomware campaigns.
Source of information: zdnet.com