Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

New Ransomware Group Claiming Connection to REvil Gang Surfaces

"Prometheus" is the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly.

A new ransomware group that claims to have impacted some 30 organizations since earlier this year is the latest example of how quickly criminal gangs are able to scale up new operations using ransomware-as-a-service offerings.

The group, Prometheus, first surfaced in February. Researchers from Palo Alto Networks (PAN) who have been tracking the gang this week described it as using double-extortion tactics — data encryption and data theft — to try and extract money from victims. The group hosts a leak site that it has been using to name new victims and post stolen data for purchase when a victim refuses or is unable to pay the demanded ransom.

Related Content:

Ransomware Cartels Using New Tactics to Extort Money

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

According to PAN, Prometheus claims it has breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom — relatively modest amounts by current cyber-extortion standards. The demanded ransom amount doubles if victims don't respond within the one-week deadline set by the Prometheus gang.

As is often the case, most of the group's victims are US-based organizations. Other impacted countries include Brazil, Norway, France, Peru, Mexico, and the UK. So far four victims have paid a ransom to get their data back.

Doel Santos, threat intelligence analyst at PAN's Unit 42 threat intelligence group, says there is little to suggest the Prometheus group is going after victims in a targeted fashion.

"We believe the Prometheus ransomware group is opportunistic," Santos says. "By looking at their alleged victims, they didn't seem to follow any rules or avoid certain organizations." Instead, they are attacking vulnerable organizations as they find them.

Prometheus has portrayed itself as belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service operator that is believed to be responsible for the attack that crippled operations at US meat supplier JBS. However, there is little evidence to back up that claim, says PAN.

Instead, the group appears to be among the many new ones that have been able to quickly scale up operations by procuring ransomware code, infrastructure, and access to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months, PAN says. It's unclear how the group is delivering the ransomware on victim networks, but it is possible they are buying access to compromised networks in criminal markets.

Like many established ransomware operators, the gang behind Prometheus has adopted a very professional approach to dealing with its victims — including referring to them as "customers," PAN said. Members of the group communicate with victims via a customer service ticketing system that includes warnings on approaching payment deadlines and notifications of plans to sell stolen data via auction if the deadline is not met.

"New ransomware gangs like Prometheus follow the same TTPs as big players [such as] Maze, Ryuk, and NetWalker because it is usually effective when applied the right way with the right victim," Santos says. "However, we do find it interesting that this group sells the data if no ransom is paid and are very vocal about it."  

From samples provided by the Prometheus ransomware gang on their leak site, the group appears to be selling stolen databases, emails, invoices, and documents that include personally identifiable information. 

"There are marketplaces where threat actors can sell leaked data for a profit, but we currently don't have any insight on how much this information could be sold in a marketplace," Santos says

Rapid Proliferation
The rapid proliferation of professionally run ransomware groups such as Prometheus and the increasingly brazen nature of their attacks have caused widespread concern. Two attacks in particular — the May ransomware attack on Colonial Pipeline, which resulted in the shutdown of 5,500 miles of pipeline in the United States, and the early June attack on meat supplier JBS USA — have triggered urgent calls for some kind of national response to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the same priority they give to terrorist actions.

"Governments need to take this very seriously, and work to actively track and disrupt gangs, and give practical guidance to the private sector on how to protect itself," UK cybersecurity expert Kevin Beaumont, who is head of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of serious organized criminals, with the ability to inflict deliberate harm, are an international security threat."  

Security experts such as Beaumont worry that the money ransomware groups are raking in from their attacks is only setting them up to launch even bigger and potentially more destructive attacks down the road. They believe that far from winding down, the volume of ransomware attacks are only going to explode in the near term as more criminals join the fray.

Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows, says the number of publicly known ransomware groups is just the tip of the iceberg.

"The ransomware landscape is sizable," Nikkei says. "While some recent campaigns have been relatively public, usually due to the data disclosures involved, these groups represent only a fraction of the possible attackers out there."

A coordinated effort is required to deal with the problem, adds Rick Holland, senior vice president of strategy at Digital Shadows.

"While treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years," he says.

While more resources will certainly be applied to address ransomware threats, people also need to recognize it as a long-term threat and analogous to chronic health conditions.

"You don't solve hypertension, diabetes, and heart disease overnight," Holland notes. "You need a holistic approach to minimize these risks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.