- Researchers who have been following ‘Prometheus’ for a while see no connection to ‘REvil.’
- The new group appears to operate alone using a new variant of the ‘Thanos’ strain bought on forums.
- Prometheus is promoting itself as part of REvil to get undeserved credibility.
At the start of the month, we touched on the subject of new ransomware actors that appeared in the ever-shifting threat landscape, with two notable examples being ‘Prometheus’ and ‘Grief.' The former claimed that they are members of the ‘REvil’ operation (Sodinokibi), and included a prominent mention of the fact on their very logo, which is a blatant copy of the logo of a legit company. However, as white-hat researchers dug deeper to figure out if this claim holds true, it appears that there are no apparent links between REvil and Prometheus after all.
Unit 42 has been following the activities of Prometheus closely for the past couple of months, and what they conclude in general is that the new group shares more similarities and connections with ‘Thanos,’ a ransomware affiliate program that reached its peak popularity last summer and then gradually faded into obscurity. Moreover, even the ransomware strain used by Prometheus appears to be a new variant of Thanos, possibly bought directly from dark web forums where it has been confirmed to be offered for purchase.
In terms of victimology and financial success, the new group targets mostly US-based entities, has already listed 30 victims on its extortion portal and prefers to compromise companies that engage in the fields of manufacturing, transportation, and logistics. The ransom payments they request range between $6,000 and $100,000, and the preferable form is Monero (XMR).
These amounts are way too small to be correlated with REvil at any level. And as for the success in getting those payments, Prometheus has had four positive outcomes so far, all concerning companies that reside outside the U.S.
So, if Prometheus doesn’t have any relation to REvil, why are they unilaterally making these false claims? Simply put, REvil is a notorious ransomware group, so presenting yourself as a member of it adds credibility. Potentially, it intimidates victims and provides an incentive to pay the requested ransom because it creates the idea that the troublesome situation is the work of a sophisticated actor, and the only way out of it is to meet their demands.
If Prometheus were operating a RaaS program, this alleged link with REvil would also help bring large numbers of hackers aboard, but they appear to act alone for now. Maybe they’ll open up later, when and if they’re ever ready.