Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/10/2021
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Ransomware Group Claiming Connection to REvil Gang Surfaces

"Prometheus" is the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly.

A new ransomware group that claims to have impacted some 30 organizations since earlier this year is the latest example of how quickly criminal gangs are able to scale up new operations using ransomware-as-a-service offerings.

The group, Prometheus, first surfaced in February. Researchers from Palo Alto Networks (PAN) who have been tracking the gang this week described it as using double-extortion tactics — data encryption and data theft — to try and extract money from victims. The group hosts a leak site that it has been using to name new victims and post stolen data for purchase when a victim refuses or is unable to pay the demanded ransom.

Related Content:

Ransomware Cartels Using New Tactics to Extort Money

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

According to PAN, Prometheus claims it has breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom — relatively modest amounts by current cyber-extortion standards. The demanded ransom amount doubles if victims don't respond within the one-week deadline set by the Prometheus gang.

As is often the case, most of the group's victims are US-based organizations. Other impacted countries include Brazil, Norway, France, Peru, Mexico, and the UK. So far four victims have paid a ransom to get their data back.

Doel Santos, threat intelligence analyst at PAN's Unit 42 threat intelligence group, says there is little to suggest the Prometheus group is going after victims in a targeted fashion.

"We believe the Prometheus ransomware group is opportunistic," Santos says. "By looking at their alleged victims, they didn't seem to follow any rules or avoid certain organizations." Instead, they are attacking vulnerable organizations as they find them.

Prometheus has portrayed itself as belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service operator that is believed to be responsible for the attack that crippled operations at US meat supplier JBS. However, there is little evidence to back up that claim, says PAN.

Instead, the group appears to be among the many new ones that have been able to quickly scale up operations by procuring ransomware code, infrastructure, and access to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months, PAN says. It's unclear how the group is delivering the ransomware on victim networks, but it is possible they are buying access to compromised networks in criminal markets.

Like many established ransomware operators, the gang behind Prometheus has adopted a very professional approach to dealing with its victims — including referring to them as "customers," PAN said. Members of the group communicate with victims via a customer service ticketing system that includes warnings on approaching payment deadlines and notifications of plans to sell stolen data via auction if the deadline is not met.

"New ransomware gangs like Prometheus follow the same TTPs as big players [such as] Maze, Ryuk, and NetWalker because it is usually effective when applied the right way with the right victim," Santos says. "However, we do find it interesting that this group sells the data if no ransom is paid and are very vocal about it."  

From samples provided by the Prometheus ransomware gang on their leak site, the group appears to be selling stolen databases, emails, invoices, and documents that include personally identifiable information. 

"There are marketplaces where threat actors can sell leaked data for a profit, but we currently don't have any insight on how much this information could be sold in a marketplace," Santos says

Rapid Proliferation
The rapid proliferation of professionally run ransomware groups such as Prometheus and the increasingly brazen nature of their attacks have caused widespread concern. Two attacks in particular — the May ransomware attack on Colonial Pipeline, which resulted in the shutdown of 5,500 miles of pipeline in the United States, and the early June attack on meat supplier JBS USA — have triggered urgent calls for some kind of national response to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the same priority they give to terrorist actions.

"Governments need to take this very seriously, and work to actively track and disrupt gangs, and give practical guidance to the private sector on how to protect itself," UK cybersecurity expert Kevin Beaumont, who is head of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of serious organized criminals, with the ability to inflict deliberate harm, are an international security threat."  

Security experts such as Beaumont worry that the money ransomware groups are raking in from their attacks is only setting them up to launch even bigger and potentially more destructive attacks down the road. They believe that far from winding down, the volume of ransomware attacks are only going to explode in the near term as more criminals join the fray.

Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows, says the number of publicly known ransomware groups is just the tip of the iceberg.

"The ransomware landscape is sizable," Nikkei says. "While some recent campaigns have been relatively public, usually due to the data disclosures involved, these groups represent only a fraction of the possible attackers out there."

A coordinated effort is required to deal with the problem, adds Rick Holland, senior vice president of strategy at Digital Shadows.

"While treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years," he says.

While more resources will certainly be applied to address ransomware threats, people also need to recognize it as a long-term threat and analogous to chronic health conditions.

"You don't solve hypertension, diabetes, and heart disease overnight," Holland notes. "You need a holistic approach to minimize these risks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...