Table of Contents
January 10, 2024
|9m
Things You Should Know About Emerging Prometheus Ransomware Strain
Cybersecurity researchers revealed a new emerging player in the threat landscape. This new emerging Prometheus Ransomware Strain has claimed that it had been compromised 30 business just in four months of time. Let’s see what things research has disclosed about this newly emerging Prometheus Ransomware Strain.
Prometheus ransomware was first observed in February 2021. Studies say that this new ransomware strain has been developed on a ransomware veteran Thanos. However, the Prometheus Ransomware group claims that it is a part of the notorious ransomware gang REvil. Researches don’t see any link between the two ransomware in any way. It is just an attempt to exploit REvil’s name to expand the ransomware business.
Victims Of Prometheus Ransomware
Prometheus Ransomware climes that it has compromised several businesses under different sectors in government, financial, manufacturing, logistics, consulting, agriculture, healthcare, insurance agencies, energy, and law firms in various countries around the globe, including United States, United Kingdom, and some countries in Asia, Europe, the Middle East, and South America.
There are 30 names of victims published on their leak site. According to the data found on the Prometheus Ransomware group’s leak site, it claims that four victims have paid the ransom. A Peruvian agricultural company, a Brazilian healthcare services provider and a transportation and a logistics organization from Austria and Singapore have paid ransoms. You can see the below two pictures from the report, which tells about the number of compromised organizations by the country and by industry sector.
Fig #1: Countries impacted by new Prometheus ransomware strain.
Fig #2: Industries impacted by new Prometheus ransomware strain.
The leak site displays the status of each victim. As per the information found on the leak site, four victims have made their payments and recovered their data, Eight victims’ data has been sold out to unknown third parties, and there are 17 victims’ data put on sale on the dark web.
Fig #3: Victim status for Prometheus ransomware.
Things You Should Know About Prometheus Ransomware Strain
As of the date, it is unknown that how Prometheus ransomware is being delivered to the victim’s network.
Fig #4: Ransom note
When it is executed, it first tries to kill backup and security-related processes like Raccine, a tool that tries to stop ransomware from deleting shadow copies in Windows.
It creates the file extension like this format .[XXX-XXX-XXXX].
The ransomware generates a unique payload per victim for negotiation.
It adds a hexadecimal string of GotAllDone at the end of all encrypted files.
After the completion of the encryption process, it drops two ransom notes: a RESTORE_FILES_INFO.TXT file and a RESTORE_FILES_INFO.TXT.hta with instructions to recover files.
Prometheus Ransomware group operats like a professional enterprise. It refers to its victims as “customers”. It uses a ticketing tool for tracking the status. A ticket includes a tracking ID, created date, resolution status and priority. And, the ticket system allows the victims to open a ticket for issues.
Ransome amounts may vary depending on the victim. It starts from $6000 to as high as up to $100,000. And ransom amount will be doubled if victims didn’t respond within the timeframe.
What Should You Do If infected With Prometheus Ransomware?
There are several intelligence services that are offering assistance. Please contact them.
PaloAlto’s Unit 42: or call (855) 875-4631 to get in touch with the Unit 42 Incident Response team.
Nomoreransome Project: https://www.nomoreransom.org/
BeforeCrypt Ransomware Recovery Services: https://www.beforecrypt.com/en/ransomware-recovery/
There are many other services available. Try connecting with them.
IOCs Of Prometheus Ransomware Strain
Ransome Notes:
Two text files RESTORE_FILES_INFO.TXT & RESTORE_FILES_INFO.TXT.hta with same note.
File Fingerprints:
11aebdff8c064c160c2b21f3a844bacaecd581d9dc2e4224d31903d2a56e2dd3
52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3
8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b
A0e20c580e8a82f4103af90d290f762bd847fadd4eba1f5cd90e465bb9f810b7
20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5
e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3
f90d4b7491d9f365748dbc3d2379ab20520421ab57790e9a934bb5cf2ecb2404
A090bb0e9118d7460c448304ccf47333ea64b90576230b8b4b5dee96f702ecf6
9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
Registry Key:
| Description | Indicator Pattern |
|---|---|
| Prometheus tries to delete Raccine registry key, using reg.exe. | [process:command_line = ‘”reg” delete “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /V “Raccine Tray” /F’] |
| Prometheus tries to delete Raccine registry key, using reg.exe. | [process:command_line = ‘”reg” delete HKCU\\Software\\Raccine /F’] |
Tools and Processes Prometheus Ransomware Strain tries to disable or stop:
| Description | Indicator Pattern |
|---|---|
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop BMR Boot Service /y’] |
| “net.exe” stop BackupExecDiveciMediaService /y | [process:command_line = ‘”net.exe” stop BackupExecDiveciMediaService /y’] |
| “net.exe” stop BackupExecJobEngine /y | [process:command_line = ‘”net.exe” stop BackupExecJobEngine /y’] |
| “net.exe” stop BackupExecManagementService /y | [process:command_line = ‘”net.exe” stop BackupExecManagementService /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop DefWatch /y’] |
| “net.exe” stop EPSecurityService /y | [process:command_line = ‘”net.exe” stop EPSecurityService /y’] |
| “net.exe” stop EPUpdateService /y | [process:command_line = ‘”net.exe” stop EPUpdateService /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop EhttpSrv /y’] |
| “net.exe” stop Intuit.QuickBooks.FCS /y | [process:command_line = ‘”net.exe” stop Intuit.QuickBooks.FCS /y’] |
| “net.exe” stop MMS /y | [process:command_line = ‘”net.exe” stop MMS /y’] |
| “net.exe” stop MSExchangeMTA /y | [process:command_line = ‘”net.exe” stop MSExchangeMTA /y’] |
| “net.exe” stop MSExchangeSA /y | [process:command_line = ‘”net.exe” stop MSExchangeSA /y’] |
| “net.exe” stop MSOLAP$SQL_2008 /y | [process:command_line = ‘”net.exe” stop MSOLAP$SQL_2008 /y’] |
| “net.exe” stop MSSQL$SQLEXPRESS /y | [process:command_line = ‘”net.exe” stop MSSQL$SQLEXPRESS /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop MSSQL$SQL_2008 /y’] |
| “net.exe” stop MSSQL$SYSTEM_BGC /y | [process:command_line = ‘”net.exe” stop MSSQL$SYSTEM_BGC /y’] |
| “net.exe” stop MSSQL$TPS /y | [process:command_line = ‘”net.exe” stop MSSQL$TPS /y’] |
| “net.exe” stop MSSQL$VEEAMSQL2008R2 /y | [process:command_line = ‘”net.exe” stop MSSQL$VEEAMSQL2008R2 /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop McAfeeDLPAgentService /y’] |
| “net.exe” stop McTaskManager /y | [process:command_line = ‘”net.exe” stop McTaskManager /y’] |
| “net.exe” stop MySQL80 /y | [process:command_line = ‘”net.exe” stop MySQL80 /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop NetBackup BMR MTFTP Service /y’] |
| “net.exe” stop OracleClientCache80 /y | [process:command_line = ‘”net.exe” stop OracleClientCache80 /y’] |
| “net.exe” stop QBCFMonitorService /y | [process:command_line = ‘”net.exe” stop QBCFMonitorService /y’] |
| “net.exe” stop QBFCService /y | [process:command_line = ‘”net.exe” stop QBFCService /y’] |
| “net.exe” stop QBIDPService /y | [process:command_line = ‘”net.exe” stop QBIDPService /y’] |
| “net.exe” stop RTVscan /y | [process:command_line = ‘”net.exe” stop RTVscan /y’] |
| “net.exe” stop ReportServer$SQL_2008 /y | [process:command_line = ‘”net.exe” stop ReportServer$SQL_2008 /y’] |
| “net.exe” stop ReportServer$SYSTEM_BGC /y | [process:command_line = ‘”net.exe” stop ReportServer$SYSTEM_BGC /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop SMTPSvc /y’] |
| “net.exe” stop SavRoam /y | [process:command_line = ‘”net.exe” stop SavRoam /y’] |
| “net.exe” stop SstpSvc /y | [process:command_line = ‘”net.exe” stop SstpSvc /y’] |
| “net.exe” stop UI0Detect /y | [process:command_line = ‘”net.exe” stop UI0Detect /y’] |
| “net.exe” stop VSNAPVSS /y | [process:command_line = ‘”net.exe” stop VSNAPVSS /y’] |
| “net.exe” stop VeeamTransportSvc /y | [process:command_line = ‘”net.exe” stop VeeamTransportSvc /y’] |
| “net.exe” stop YooBackup /y | [process:command_line = ‘”net.exe” stop YooBackup /y’] |
| “net.exe” stop YooIT /y | [process:command_line = ‘”net.exe” stop YooIT /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop avpsus /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop bedbg /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop ccEvtMgr /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop ccSetMgr /y’] |
| “net.exe” stop ekrn /y | [process:command_line = ‘”net.exe” stop ekrn /y’] |
| “net.exe” stop mfefire /y | [process:command_line = ‘”net.exe” stop mfefire /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop mfewc /y’] |
| “net.exe” stop mozyprobackup /y | [process:command_line = ‘”net.exe” stop mozyprobackup /y’] |
| “net.exe” stop msftesql$PROD /y | [process:command_line = ‘”net.exe” stop msftesql$PROD /y’] |
| “net.exe” stop stc_raw_agent /y | [process:command_line = ‘”net.exe” stop stc_raw_agent /y’] |
| “net.exe” stop wbengine /y | [process:command_line = ‘”net.exe” stop wbengine /y’] |
| “net.exe” stop zhudongfangyu /y | [process:command_line = ‘”net.exe” stop zhudongfangyu /y’] |
| “net.exe” stop “SQLsafe Filter Service” /y | [process:command_line = ‘”net.exe” stop “SQLsafe Filter Service” /y’] |
| Prometheus sample tries to stop the following process. | [process:command_line = ‘”net.exe” stop “Sophos Clean Service” /y’] |
| “net.exe” stop “Sophos Device Control Service” /y | [process:command_line = ‘”net.exe” stop “Sophos Device Control Service” /y’] |
| “net.exe” stop “Symantec System Recovery” /y | [process:command_line = ‘”net.exe” stop “Symantec System Recovery” /y’] |
| “net.exe” stop “Veeam Backup Catalog Data Service” /y | [process:command_line = ‘”net.exe” stop “Veeam Backup Catalog Data Service” /y’] |
| “taskkill.exe” /IM CNTAoSMgr.exe /F | [process:command_line = ‘”taskkill.exe” /IM CNTAoSMgr.exe /F’] |
| “taskkill.exe” /IM Ntrtscan.exe /F | [process:command_line = ‘”taskkill.exe” /IM Ntrtscan.exe /F’] |
| “taskkill.exe” /IM PccNTMon.exe /F | [process:command_line = ‘”taskkill.exe” /IM PccNTMon.exe /F’] |
| “taskkill.exe” /IM agntsvc.exe /F | [process:command_line = ‘”taskkill.exe” /IM agntsvc.exe /F’] |
| “taskkill.exe” /IM dbeng50.exe /F | [process:command_line = ‘”taskkill.exe” /IM dbeng50.exe /F’] |
| “taskkill.exe” /IM dbsnmp.exe /F | [process:command_line = ‘”taskkill.exe” /IM dbsnmp.exe /F’] |
| “taskkill.exe” /IM encsvc.exe /F | [process:command_line = ‘”taskkill.exe” /IM encsvc.exe /F’] |
| “taskkill.exe” /IM excel.exe /F | [process:command_line = ‘”taskkill.exe” /IM excel.exe /F’] |
| “taskkill.exe” /IM firefoxconfig.exe /F | [process:command_line = ‘”taskkill.exe” /IM firefoxconfig.exe /F’] |
| “taskkill.exe” /IM infopath.exe /F | [process:command_line = ‘”taskkill.exe” /IM infopath.exe /F’] |
| “taskkill.exe” /IM isqlplussvc.exe /F | [process:command_line = ‘”taskkill.exe” /IM isqlplussvc.exe /F’] |
| “taskkill.exe” /IM mbamtray.exe /F | [process:command_line = ‘”taskkill.exe” /IM mbamtray.exe /F’] |
| “taskkill.exe” /IM msaccess.exe /F | [process:command_line = ‘”taskkill.exe” /IM msaccess.exe /F’] |
| “taskkill.exe” /IM msftesql.exe /F | [process:command_line = ‘”taskkill.exe” /IM msftesql.exe /F’] |
| “taskkill.exe” /IM mydesktopqos.exe /F | [process:command_line = ‘”taskkill.exe” /IM mydesktopqos.exe /F’] |
| “taskkill.exe” /IM mydesktopservice.exe /F | [process:command_line = ‘”taskkill.exe” /IM mydesktopservice.exe /F’] |
| “taskkill.exe” /IM mysqld-nt.exe /F | [process:command_line = ‘”taskkill.exe” /IM mysqld-nt.exe /F’] |
| “taskkill.exe” /IM mysqld-opt.exe /F | [process:command_line = ‘”taskkill.exe” /IM mysqld-opt.exe /F’] |
| “taskkill.exe” /IM mysqld.exe /F | [process:command_line = ‘”taskkill.exe” /IM mysqld.exe /F’] |
| “taskkill.exe” /IM ocautoupds.exe /F | [process:command_line = ‘”taskkill.exe” /IM ocautoupds.exe /F’] |
| “taskkill.exe” /IM ocomm.exe /F | [process:command_line = ‘”taskkill.exe” /IM ocomm.exe /F’] |
| “taskkill.exe” /IM ocssd.exe /F | [process:command_line = ‘”taskkill.exe” /IM ocssd.exe /F’] |
| “taskkill.exe” /IM onenote.exe /F | [process:command_line = ‘”taskkill.exe” /IM onenote.exe /F’] |
| “taskkill.exe” /IM oracle.exe /F | [process:command_line = ‘”taskkill.exe” /IM oracle.exe /F’] |
| “taskkill.exe” /IM outlook.exe /F | [process:command_line = ‘”taskkill.exe” /IM outlook.exe /F’] |
| “taskkill.exe” /IM powerpnt.exe /F | [process:command_line = ‘”taskkill.exe” /IM powerpnt.exe /F’] |
| “taskkill.exe” /IM sqbcoreservice.exe /F | [process:command_line = ‘”taskkill.exe” /IM sqbcoreservice.exe /F’] |
| “taskkill.exe” /IM sqlagent.exe /F | [process:command_line = ‘”taskkill.exe” /IM sqlagent.exe /F’] |
| “taskkill.exe” /IM sqlbrowser.exe /F | [process:command_line = ‘”taskkill.exe” /IM sqlbrowser.exe /F’] |
| “taskkill.exe” /IM sqlservr.exe /F | [process:command_line = ‘”taskkill.exe” /IM sqlservr.exe /F’] |
| “taskkill.exe” /IM sqlwriter.exe /F | [process:command_line = ‘”taskkill.exe” /IM sqlwriter.exe /F’] |
| “taskkill.exe” /IM steam.exe /F | [process:command_line = ‘”taskkill.exe” /IM steam.exe /F’] |
| “taskkill.exe” /IM synctime.exe /F | [process:command_line = ‘”taskkill.exe” /IM synctime.exe /F’] |
| “taskkill.exe” /IM tbirdconfig.exe /F | [process:command_line = ‘”taskkill.exe” /IM tbirdconfig.exe /F’] |
| “taskkill.exe” /IM thebat.exe /F | [process:command_line = ‘”taskkill.exe” /IM thebat.exe /F’] |
| “taskkill.exe” /IM thebat64.exe /F | [process:command_line = ‘”taskkill.exe” /IM thebat64.exe /F’] |
| “taskkill.exe” /IM tmlisten.exe /F | [process:command_line = ‘”taskkill.exe” /IM tmlisten.exe /F’] |
| “taskkill.exe” /IM visio.exe /F | [process:command_line = ‘”taskkill.exe” /IM visio.exe /F’] |
| “taskkill.exe” /IM winword.exe /F | [process:command_line = ‘”taskkill.exe” /IM winword.exe /F’] |
| “taskkill.exe” /IM wordpad.exe /F | [process:command_line = ‘”taskkill.exe” /IM wordpad.exe /F’] |
| “taskkill.exe” /IM xfssvccon.exe /F | [process:command_line = ‘”taskkill.exe” /IM xfssvccon.exe /F’] |
| “taskkill.exe” /IM zoolz.exe /F | [process:command_line = ‘”taskkill.exe” /IM zoolz.exe /F’] |
| “taskkill.exe” IM thunderbird.exe /F | [process:command_line = ‘”taskkill.exe” IM thunderbird.exe /F’] |
Thanks for reading this post. Please share this post and help secure the business.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
