Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
06:30 PM
Connect Directly

New Ransomware Group Claiming Connection to REvil Gang Surfaces

"Prometheus" is the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly.

A new ransomware group that claims to have impacted some 30 organizations since earlier this year is the latest example of how quickly criminal gangs are able to scale up new operations using ransomware-as-a-service offerings.

The group, Prometheus, first surfaced in February. Researchers from Palo Alto Networks (PAN) who have been tracking the gang this week described it as using double-extortion tactics — data encryption and data theft — to try and extract money from victims. The group hosts a leak site that it has been using to name new victims and post stolen data for purchase when a victim refuses or is unable to pay the demanded ransom.

Related Content:

Ransomware Cartels Using New Tactics to Extort Money

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

According to PAN, Prometheus claims it has breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom — relatively modest amounts by current cyber-extortion standards. The demanded ransom amount doubles if victims don't respond within the one-week deadline set by the Prometheus gang.

As is often the case, most of the group's victims are US-based organizations. Other impacted countries include Brazil, Norway, France, Peru, Mexico, and the UK. So far four victims have paid a ransom to get their data back.

Doel Santos, threat intelligence analyst at PAN's Unit 42 threat intelligence group, says there is little to suggest the Prometheus group is going after victims in a targeted fashion.

"We believe the Prometheus ransomware group is opportunistic," Santos says. "By looking at their alleged victims, they didn't seem to follow any rules or avoid certain organizations." Instead, they are attacking vulnerable organizations as they find them.

Prometheus has portrayed itself as belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service operator that is believed to be responsible for the attack that crippled operations at US meat supplier JBS. However, there is little evidence to back up that claim, says PAN.

Instead, the group appears to be among the many new ones that have been able to quickly scale up operations by procuring ransomware code, infrastructure, and access to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months, PAN says. It's unclear how the group is delivering the ransomware on victim networks, but it is possible they are buying access to compromised networks in criminal markets.

Like many established ransomware operators, the gang behind Prometheus has adopted a very professional approach to dealing with its victims — including referring to them as "customers," PAN said. Members of the group communicate with victims via a customer service ticketing system that includes warnings on approaching payment deadlines and notifications of plans to sell stolen data via auction if the deadline is not met.

"New ransomware gangs like Prometheus follow the same TTPs as big players [such as] Maze, Ryuk, and NetWalker because it is usually effective when applied the right way with the right victim," Santos says. "However, we do find it interesting that this group sells the data if no ransom is paid and are very vocal about it."  

From samples provided by the Prometheus ransomware gang on their leak site, the group appears to be selling stolen databases, emails, invoices, and documents that include personally identifiable information. 

"There are marketplaces where threat actors can sell leaked data for a profit, but we currently don't have any insight on how much this information could be sold in a marketplace," Santos says

Rapid Proliferation
The rapid proliferation of professionally run ransomware groups such as Prometheus and the increasingly brazen nature of their attacks have caused widespread concern. Two attacks in particular — the May ransomware attack on Colonial Pipeline, which resulted in the shutdown of 5,500 miles of pipeline in the United States, and the early June attack on meat supplier JBS USA — have triggered urgent calls for some kind of national response to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the same priority they give to terrorist actions.

"Governments need to take this very seriously, and work to actively track and disrupt gangs, and give practical guidance to the private sector on how to protect itself," UK cybersecurity expert Kevin Beaumont, who is head of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of serious organized criminals, with the ability to inflict deliberate harm, are an international security threat."  

Security experts such as Beaumont worry that the money ransomware groups are raking in from their attacks is only setting them up to launch even bigger and potentially more destructive attacks down the road. They believe that far from winding down, the volume of ransomware attacks are only going to explode in the near term as more criminals join the fray.

Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows, says the number of publicly known ransomware groups is just the tip of the iceberg.

"The ransomware landscape is sizable," Nikkei says. "While some recent campaigns have been relatively public, usually due to the data disclosures involved, these groups represent only a fraction of the possible attackers out there."

A coordinated effort is required to deal with the problem, adds Rick Holland, senior vice president of strategy at Digital Shadows.

"While treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years," he says.

While more resources will certainly be applied to address ransomware threats, people also need to recognize it as a long-term threat and analogous to chronic health conditions.

"You don't solve hypertension, diabetes, and heart disease overnight," Holland notes. "You need a holistic approach to minimize these risks."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file