New Ransomware Group Claiming Connection to REvil Gang Surfaces

4 days ago 17

'Prometheus' is the latest illustration of however the ransomware-as-a-service exemplary is letting caller gangs standard up operations quickly.

A caller ransomware radical that claims to person impacted immoderate 30 organizations since earlier this twelvemonth is the latest illustration of however rapidly transgression gangs are capable to standard up caller operations utilizing ransomware-as-a-service offerings.

The group, Prometheus, archetypal surfaced successful February. Researchers from Palo Alto Networks (PAN) who person been tracking the pack this week described it arsenic utilizing double-extortion tactics — information encryption and information theft — to effort and extract wealth from victims. The radical hosts a leak tract that it has been utilizing to sanction caller victims and station stolen information for acquisition erstwhile a unfortunate refuses oregon is incapable to wage the demanded ransom.

According to PAN, Prometheus claims it has breached astatine slightest 30 organizations crossed aggregate sectors, including government, manufacturing, fiscal services, logistics, insurance, and wellness care. On average, the radical has demanded betwixt $6,000 and $100,000 successful Monero cryptocurrency arsenic a ransom — comparatively humble amounts by existent cyber-extortion standards. The demanded ransom magnitude doubles if victims don't respond wrong the one-week deadline acceptable by the Prometheus gang.

As is often the case, astir of the group's victims are US-based organizations. Other impacted countries see Brazil, Norway, France, Peru, Mexico, and the UK. So acold 4 victims person paid a ransom to get their information back.

Doel Santos, menace quality expert astatine PAN's Unit 42 menace quality group, says determination is small to suggest the Prometheus radical is going aft victims successful a targeted fashion.

"We judge the Prometheus ransomware radical is opportunistic," Santos says. "By looking astatine their alleged victims, they didn't look to travel immoderate rules oregon debar definite organizations." Instead, they are attacking susceptible organizations arsenic they find them.

Prometheus has portrayed itself arsenic belonging to REvil (aka Sodinokibi), an infamous ransomware-as-a-service relation that is believed to be responsible for the attack that crippled operations astatine US nutrient supplier JBS. However, determination is small grounds to backmost up that claim, says PAN.

Instead, the radical appears to beryllium among the galore caller ones that person been capable to rapidly standard up operations by procuring ransomware code, infrastructure, and entree to compromised networks via third-party providers. The Prometheus ransomware strain itself, for example, appears to beryllium a caller variant of Thanos, a antecedently known ransomware instrumentality that has been disposable for merchantability connected Dark Web markets for months, PAN says. It's unclear however the radical is delivering the ransomware connected unfortunate networks, but it is imaginable they are buying entree to compromised networks successful transgression markets.

Like galore established ransomware operators, the pack down Prometheus has adopted a precise nonrecreational attack to dealing with its victims — including referring to them arsenic "customers," PAN said. Members of the radical pass with victims via a lawsuit work ticketing strategy that includes warnings connected approaching outgo deadlines and notifications of plans to merchantability stolen information via auction if the deadline is not met.

"New ransomware gangs similar Prometheus travel the aforesaid TTPs arsenic large players [such as] Maze, Ryuk, and NetWalker due to the fact that it is usually effectual erstwhile applied the close mode with the close victim," Santos says. "However, we bash find it absorbing that this radical sells the information if nary ransom is paid and are precise vocal astir it."  

From samples provided by the Prometheus ransomware pack connected their leak site, the radical appears to beryllium selling stolen databases, emails, invoices, and documents that see personally identifiable information. 

"There are marketplaces wherever menace actors tin merchantability leaked information for a profit, but we presently don't person immoderate penetration connected however overmuch this accusation could beryllium sold successful a marketplace," Santos says

Rapid Proliferation
The accelerated proliferation of professionally tally ransomware groups specified arsenic Prometheus and the progressively brazen quality of their attacks person caused wide concern. Two attacks successful peculiar — the May ransomware onslaught connected Colonial Pipeline, which resulted successful the shutdown of 5,500 miles of pipeline successful the United States, and the aboriginal June onslaught connected nutrient supplier JBS USA — person triggered urgent calls for immoderate benignant of nationalist effect to the threat. According to Reuters, the US Department of Justice has begun giving ransomware attacks the aforesaid precedence they springiness to violent actions.

"Governments request to instrumentality this precise seriously, and enactment to actively way and disrupt gangs, and springiness applicable guidance to the backstage assemblage connected however to support itself," UK cybersecurity adept Kevin Beaumont, who is caput of Arcadia Group's SOC, wrote recently. "Why? Because uncontrolled groups of superior organized criminals, with the quality to inflict deliberate harm, are an planetary information threat."  

Security experts specified arsenic Beaumont interest that the wealth ransomware groups are raking successful from their attacks is lone mounting them up to motorboat adjacent bigger and perchance much destructive attacks down the road. They judge that acold from winding down, the measurement of ransomware attacks are lone going to detonate successful the adjacent word arsenic much criminals articulation the fray.

Sean Nikkei, elder cyberthreat intel expert astatine Digital Shadows, says the fig of publically known ransomware groups is conscionable the extremity of the iceberg.

"The ransomware scenery is sizable," Nikkei says. "While immoderate caller campaigns person been comparatively public, usually owed to the information disclosures involved, these groups correspond lone a fraction of the imaginable attackers retired there."

A coordinated effort is required to woody with the problem, adds Rick Holland, elder vice president of strategy astatine Digital Shadows.

"While treating the ransomware menace similar coercion is helpful, it is bully to retrieve that the planetary warfare connected terrorism, besides known arsenic the 'forever war,' has been going connected for much than 30 years," helium says.

While much resources volition surely beryllium applied to code ransomware threats, radical besides request to admit it arsenic a semipermanent menace and analogous to chronic wellness conditions.

"You don't lick hypertension, diabetes, and bosom illness overnight," Holland notes. "You request a holistic attack to minimize these risks."

Jai Vijayan is simply a seasoned exertion newsman with implicit 20 years of acquisition successful IT commercialized journalism. He was astir precocious a Senior Editor astatine Computerworld, wherever helium covered accusation information and information privateness issues for the publication. Over the people of his 20-year ... View Full Bio

Recommended Reading:

More Insights

Read Entire Article