Prometheus ransomware targets U.S, U.K, and a dozen more countries

More than 30 various international organizations allegedly fall victim to a new ransomware group

New ransomware is threatening organizations worldwide

Prometheus ransomware has first struck the world at the beginning of this year, in February. The group behind this malware became famous for using double extorsion techniques. It includes not only encrypting files on targetted machines or networks but also threatening the victims to release stolen info if they don't forward the demanded amount in preferred cryptocurrency.

Such information usually consists of employee details (names, bank accounts, serial security numbers, IDs, etc.), non-disclosure agreements, payrolls, bank statements, and so on. This incentivizes most companies to succumb to the demands of their assailants.

According to cybersecurity researchers,^[1] the newly created criminal enterprise runs like a well-oiled machine. They address their victims as clients or customers and interact with them through a ticketing system. The Prometheus ransomware gang has bragged about breaching more than 30 major organizations worldwide.

The attacks were targeted at different sectors such as:

• manufacturing,
• logistics,
• government,
• financial services,
• insurance agencies,
• consulting,
• agriculture, etc.

Reportedly, only four victims of the Prometheus cyberattacks have agreed to pay the assailants, including a Brazilian healthcare provider, an agricultural company based in Peru, and two logistics companies, based in Singapore and Austria. Thus showing that the hackers target organizations in various countries.

The new hacker group impersonates a well-known criminal organization

Security experts spotted the fairly new criminal organization to use the name of another hacker group calling themselves REvil.^[2] This group is thought to be working from Russia and offers ransomware-as-a-service (RaaS) options. It is famous in the cybersecurity community for accomplishing high-profile hacks.

Few of their latest and most destructive hacks included an attack on the worlds leading processed meat supplier JBS FOODS,^[3] which had to shut down all of their facilities across Canada, the U.S., and Australia, and an attack on Apple supplier which resulted in upcoming product schematics theft.

After a thorough investigation and analysis of the ransomware attacks and other peculiarities, cybersecurity researchers haven't found any links between the two groups. That suggests that the newly created one could try to push victims into succumbing to their demands by pretending to be a well-established criminal organization.

As a threat intelligence analyst told the reporters:^[4]

If you search for REvil, the headlines are going to speak for themselves versus searching Prometheus ransomware where probably nothing major would've come up.

A deeper look at the Prometheus ransomware functionalities

The first thing that stands out about this new malware from others is that its developers demand to pay the ransom in Monero, not Bitcoins. Criminals might choose this form of payment due to the US law enforcement agencies recovering paid ransoms through Bitcoins,^[5] as happened with the Colonial Pipeline hack.

Monero is a privacy-focused cryptocurrency and is believed to be harder to track than Bitcoin. The ransom amount that the Prometheus group demands swindle between $6,000 and $100,000. However, the amount is doubled if it's not paid within a week.

Although cybersecurity analysts haven't identified how this malware is spread due to its similarities in behavior and infrastructure with Thanos ransomware, it is presumed that similar methods are used, including brute force and phishing attacks and purchasing access to networks that have been already compromised.