New Ransomware Group Claiming Connection to REvil Gang Surfaces
"Prometheus" is the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly.
June 10, 2021
A new ransomware group that claims to have impacted some 30 organizations since earlier this year is the latest example of how quickly criminal gangs are able to scale up new operations using ransomware-as-a-service offerings.
The group, Prometheus, first surfaced in February. Researchers from Palo Alto Networks (PAN) who have been tracking the gang this week described it as using double-extortion tactics — data encryption and data theft — to try and extract money from victims. The group hosts a leak site that it has been using to name new victims and post stolen data for purchase when a victim refuses or is unable to pay the demanded ransom.
According to PAN, Prometheus claims it has breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom — relatively modest amounts by current cyber-extortion standards. The demanded ransom amount doubles if victims don't respond within the one-week deadline set by the Prometheus gang.
As is often the case, most of the group's victims are US-based organizations. Other impacted countries include Brazil, Norway, France, Peru, Mexico, and the UK. So far four victims have paid a ransom to get their data back.
Doel Santos, threat intelligence analyst at PAN's Unit 42 threat intelligence group, says there is little to suggest the Prometheus group is going after victims in a targeted fashion.
"We believe the Prometheus ransomware group is opportunistic," Santos says. "By looking at their alleged victims, they didn't seem to follow any rules or avoid certain organizations." Instead, they are attacking vulnerable organizations as they find them.
Prometheus has portrayed itself as belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service operator that is believed to be responsible for the attack that crippled operations at US meat supplier JBS. However, there is little evidence to back up that claim, says PAN.
Instead, the group appears to be among the many new ones that have been able to quickly scale up operations by procuring ransomware code, infrastructure, and access to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months, PAN says. It's unclear how the group is delivering the ransomware on victim networks, but it is possible they are buying access to compromised networks in criminal markets.
Like many established ransomware operators, the gang behind Prometheus has adopted a very professional approach to dealing with its victims — including referring to them as "customers," PAN said. Members of the group communicate with victims via a customer service ticketing system that includes warnings on approaching payment deadlines and notifications of plans to sell stolen data via auction if the deadline is not met.
"New ransomware gangs like Prometheus follow the same TTPs as big players [such as] Maze, Ryuk, and NetWalker because it is usually effective when applied the right way with the right victim," Santos says. "However, we do find it interesting that this group sells the data if no ransom is paid and are very vocal about it."
From samples provided by the Prometheus ransomware gang on their leak site, the group appears to be selling stolen databases, emails, invoices, and documents that include personally identifiable information.
"There are marketplaces where threat actors can sell leaked data for a profit, but we currently don't have any insight on how much this information could be sold in a marketplace," Santos says
Rapid Proliferation
The rapid proliferation of professionally run ransomware groups such as Prometheus and the increasingly brazen nature of their attacks have caused widespread concern. Two attacks in particular — the May ransomware attack on Colonial Pipeline, which resulted in the shutdown of 5,500 miles of pipeline in the United States, and the early June attack on meat supplier JBS USA — have triggered urgent calls for some kind of national response to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the same priority they give to terrorist actions.
"Governments need to take this very seriously, and work to actively track and disrupt gangs, and give practical guidance to the private sector on how to protect itself," UK cybersecurity expert Kevin Beaumont, who is head of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of serious organized criminals, with the ability to inflict deliberate harm, are an international security threat."
Security experts such as Beaumont worry that the money ransomware groups are raking in from their attacks is only setting them up to launch even bigger and potentially more destructive attacks down the road. They believe that far from winding down, the volume of ransomware attacks are only going to explode in the near term as more criminals join the fray.
Sean Nikkei, senior cyberthreat intel analyst at Digital Shadows, says the number of publicly known ransomware groups is just the tip of the iceberg.
"The ransomware landscape is sizable," Nikkei says. "While some recent campaigns have been relatively public, usually due to the data disclosures involved, these groups represent only a fraction of the possible attackers out there."
A coordinated effort is required to deal with the problem, adds Rick Holland, senior vice president of strategy at Digital Shadows.
"While treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years," he says.
While more resources will certainly be applied to address ransomware threats, people also need to recognize it as a long-term threat and analogous to chronic health conditions.
"You don't solve hypertension, diabetes, and heart disease overnight," Holland notes. "You need a holistic approach to minimize these risks."
About the Author
You May Also Like