Emerging 'Prometheus' ransomware claims 30 victims in a dozen countries, Palo Alto Networks says

(Getty Images)


Written by

A new ransomware group claims to have breached 30 organizations in government, financial services, health care services, and energy firms in the United States, United Kingdom, and a dozen more countries, according to Palo Alto Networks research published Wednesday.

The group, which Palo Alto researchers have dubbed “Prometheus,” most frequently targets the manufacturing industry. The activity comes amid ongoing concern about the effect of ransomware on national security and global supply chains after incidents at Colonial Pipeline and the meat-processing corporation JBS.

“The Prometheus ransomware gang has the potential to target organizations that would lead to national concerns,” Doel Santos, threat intelligence analyst at Palo Alto Networks’ Unit 42, wrote in an email. “These threat actors are opportunistic. They are willing to target any organization.”

The group has also targeted victims in manufacturing, logistics, consulting, agriculture, insurance, and legal industries.

Prometheus claims to be affiliated with REvil, a Russia-based hacking group the FBI blamed for an attack on the global meat supplier JBS. Researchers found no evidence tying the two groups together nor could it confirm any of the group’s victims.

Santos described the Prometheus group as “ruthless.” The group’s site hosts leaked databases, emails, invoices, and documents that include personally identifiable information purportedly belonging to victims’ who failed to pay an extortion fee within a prescribed amount of time.

The group appears to be using malware similar to that used by ransomware group Thanos. The group’s emergence highlights the rapid growth of ransomware gangs thanks to the rise of ransomware-as-a-service in which other groups rent out their code and infrastructure for use.

Modern ransomware enterprises typically function as part of a larger affiliate market. One group may specialize in developing malicious software, for instance, then lease access to that tool to a partner organization in exchange for a cut of the profit from any data breaches. The Egregor, Thanos and Conti ransomware strains are known to operate in this fashion, among others, according to specialists from the threat intelligence firms Intel 471 and Trend Micro.

The growing number of groups has made it difficult for law enforcement to stay on top of the problem. FBI Director Christopher Wray recently told the Wall Street Journal that the agency has investigated 100 different types of ransomware.

In April, the security vendor Cybereason detailed a botnet called “Prometei,” which hackers appear to leverage for cryptomining and other financial scams. “Prometei” is the Russian translation for Prometheus, though it remains unclear if there is a connection between the two hacking tools.

-In this Story-

Colonial Pipeline, JBS, Palo Alto Networks, ransomware, Russia