Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

New Ransomware Group Claiming Connection to REvil Gang Surfaces

"Prometheus" is the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly.

A new ransomware group that claims to have impacted some 30 organizations since earlier this year is the latest example of how quickly criminal gangs are able to scale up new operations using ransomware-as-a-service offerings.

The group, Prometheus, first surfaced in February. Researchers from Palo Alto Networks (PAN) who have been tracking the gang this week described it as using double-extortion tactics — data encryption and data theft — to try and extract money from victims. The group hosts a leak site that it has been using to name new victims and post stolen data for purchase when a victim refuses or is unable to pay the demanded ransom.

Related Content:

Ransomware Cartels Using New Tactics to Extort Money

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

According to PAN, Prometheus claims it has breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom — relatively modest amounts by current cyber-extortion standards. The demanded ransom amount doubles if victims don't respond within the one-week deadline set by the Prometheus gang.

As is often the case, most of the group's victims are US-based organizations. Other impacted countries include Brazil, Norway, France, Peru, Mexico, and the UK. So far four victims have paid a ransom to get their data back.

Doel Santos, threat intelligence analyst at PAN's Unit 42 threat intelligence group, says there is little to suggest the Prometheus group is going after victims in a targeted fashion.

"We believe the Prometheus ransomware group is opportunistic," Santos says. "By looking at their alleged victims, they didn't seem to follow any rules or avoid certain organizations." Instead, they are attacking vulnerable organizations as they find them.

Prometheus has portrayed itself as belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service operator that is believed to be responsible for the attack that crippled operations at US meat supplier JBS. However, there is little evidence to back up that claim, says PAN.

Instead, the group appears to be among the many new ones that have been able to quickly scale up operations by procuring ransomware code, infrastructure, and access to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months, PAN says. It's unclear how the group is delivering the ransomware on victim networks, but it is possible they are buying access to compromised networks in criminal markets.

Like many established ransomware operators, the gang behind Prometheus has adopted a very professional approach to dealing with its victims — including referring to them as "customers," PAN said. Members of the group communicate with victims via a customer service ticketing system that includes warnings on approaching payment deadlines and notifications of plans to sell stolen data via auction if the deadline is not met.

"New ransomware gangs like Prometheus follow the same TTPs as big players [such as] Maze, Ryuk, and NetWalker because it is usually effective when applied the right way with the right victim," Santos says. "However, we do find it interesting that this group sells the data if no ransom is paid and are very vocal about it."  

From samples provided by the Prometheus ransomware gang on their leak site, the group appears to be selling stolen databases, emails, invoices, and documents that include personally identifiable information. 

"There are marketplaces where threat actors can sell leaked data for a profit, but we currently don't have any insight on how much this information could be sold in a marketplace," Santos says

Rapid Proliferation
The rapid proliferation of professionally run ransomware groups such as Prometheus and the increasingly brazen nature of their attacks have caused widespread concern. Two attacks in particular — the May ransomware attack on Colonial Pipeline, which resulted in the shutdown of 5,500 miles of pipeline in the United States, and the early June attack on meat supplier JBS USA — have triggered urgent calls for some kind of national response to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the same priority they give to terrorist actions.

"Governments need to take this very seriously, and work to actively track and disrupt gangs, and give practical guidance to the private sector on how to protect itself," UK cybersecurity expert Kevin Beaumont, who is head of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of serious organized criminals, with the ability to inflict deliberate harm, are an international security threat."  

Security experts such as Beaumont worry that the money ransomware groups are raking in from their attacks is only setting them up to launch even bigger and potentially more destructive attacks down the road. They believe that far from winding down, the volume of ransomware attacks are only going to explode in the near term as more criminals join the fray.

Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows, says the number of publicly known ransomware groups is just the tip of the iceberg.

"The ransomware landscape is sizable," Nikkei says. "While some recent campaigns have been relatively public, usually due to the data disclosures involved, these groups represent only a fraction of the possible attackers out there."

A coordinated effort is required to deal with the problem, adds Rick Holland, senior vice president of strategy at Digital Shadows.

"While treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years," he says.

While more resources will certainly be applied to address ransomware threats, people also need to recognize it as a long-term threat and analogous to chronic health conditions.

"You don't solve hypertension, diabetes, and heart disease overnight," Holland notes. "You need a holistic approach to minimize these risks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-08-03
Hardcoded default root credentials exist on the ecobee3 lite device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console.
PUBLISHED: 2021-08-03
A NULL pointer dereference vulnerability exists on the ecobee3 lite device in the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to cause a denial of service, forcing the device to reboot via a crafted HTTP request.
PUBLISHED: 2021-08-03
A heap-based buffer overflow vulnerability exists on the ecobee3 lite device in the HKProcessConfig function of the HomeKit Wireless Access Control setup process. A threat actor can exploit this vulnerability to force the device to connect to a SSID or cause a denial of service.
PUBLISHED: 2021-08-03
Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.
PUBLISHED: 2021-08-03
Poddycast is a podcast app made with Electron. Prior to version 0.8.1, an attacker can create a podcast or episode with malicious characters and execute commands on the client machine. The application does not clean the HTML characters of the podcast information obtained from the Feed, which allows ...