A growing ransomware strain in the threat landscape claims to have compromised 30 companies in just four months, following the reputation of a legendary ransomware ring, according to The Hacker News.
Prometheus was first discovered in February 2021. It is a derivative of Thanos, a well-known ransomware strain that was used against government entities last year in the Middle East and North Africa.
According to new research released by Palo Alto Networks’ Unit 42 Threat Intelligence Team, businesses in government, financial services, manufacturing, logistics, consulting, agriculture, healthcare, insurance agencies, energy, and law firms in the U.S., United Kingdom, and a dozen other countries in Asia, Europe, Middle East, and South America are believed to have been affected.
Prometheus, like other ransomware groups, uses duplicitous extortion techniques and maintains a dark web leak site where it names and shames new victims and sells stolen data, displaying a professional demeanor in its illegal actions.
However, according to the cybersecurity firm’s investigation, only four of the 30 impacted firms have paid ransoms so far, including a Peruvian agricultural company, a Brazilian healthcare services provider, and two transportation and logistics firms in Austria and Singapore.
Prometheus ransomware has affected the United States, Brazil, Norway, France, Peru, Mexico, the United Kingdom, Switzerland, Singapore, Malaysia, Italy, India, Ghana, France, El Salvador, Chile, the United Arab Emirates, and Austria.
Doel Santos, Unit 42 threat intelligence analyst, notes “Prometheus runs like a professional enterprise”.
“It refers to its victims as ‘customers,’ communicates with them using a customer service ticketing system that warns them when payment deadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment deadline”.
However, according to the cybersecurity firm’s investigation, only 4 of the 30 affected companies have paid a ransom so far, including a Peruvian agricultural company, a Brazilian healthcare provider, and 2 transport and logistics companies in Austria and Singapore.
Despite Prometheus’ strong ties to Thanos, the gang claims to be a group of REvil, one of the most prolific and notorious ransomware-as-a-service (RaaS) cartels in recent years. Researchers suspect this could be an attempt to divert attention from Thanos, or a deliberate ploy to trick victims into paying by piggybacking on an established operation.
Although the initial entry point of the ransomware is unknown, it is likely that the group purchased access to the target networks or staged spear phishing and brute force operations to gain access. After a successful compromise, Prometheus’ mode of operation is to halt backup and security software-related operations on the computer in order to encrypt the contents.
This development also comes at a time when cybercriminal organizations are increasingly targeting SonicWall devices to penetrate corporate networks and spread ransomware.
CrowdStrike discovered evidence in a study published this week that remote access vulnerabilities (CVE-2019-7481) in SonicWall SRA 4600 VPN appliances are being exploited as an initial access vector for ransomware attacks against enterprises worldwide.