Researchers Say ‘Prometheus’ Is Not Related to ‘REvil’ in Any Apparent Way

  • Researchers who have been following ‘Prometheus’ for a while see no connection to ‘REvil.’
  • The new group appears to operate alone using a new variant of the ‘Thanos’ strain bought on forums.
  • Prometheus is promoting itself as part of REvil to get undeserved credibility.

At the start of the month, we touched on the subject of new ransomware actors that appeared in the ever-shifting threat landscape, with two notable examples being ‘Prometheus’ and ‘Grief.’ The former claimed that they are members of the ‘REvil’ operation (Sodinokibi), and included a prominent mention of the fact on their very logo, which is a blatant copy of the logo of a legit company. However, as white-hat researchers dug deeper to figure out if this claim holds true, it appears that there are no apparent links between REvil and Prometheus after all.

Source: Cyble

Unit 42 has been following the activities of Prometheus closely for the past couple of months, and what they conclude in general is that the new group shares more similarities and connections with ‘Thanos,’ a ransomware affiliate program that reached its peak popularity last summer and then gradually faded into obscurity. Moreover, even the ransomware strain used by Prometheus appears to be a new variant of Thanos, possibly bought directly from dark web forums where it has been confirmed to be offered for purchase.

Source: Unit 42

In terms of victimology and financial success, the new group targets mostly US-based entities, has already listed 30 victims on its extortion portal and prefers to compromise companies that engage in the fields of manufacturing, transportation, and logistics. The ransom payments they request range between $6,000 and $100,000, and the preferable form is Monero (XMR).

These amounts are way too small to be correlated with REvil at any level. And as for the success in getting those payments, Prometheus has had four positive outcomes so far, all concerning companies that reside outside the U.S.

Source: Unit 42

So, if Prometheus doesn’t have any relation to REvil, why are they unilaterally making these false claims? Simply put, REvil is a notorious ransomware group, so presenting yourself as a member of it adds credibility. Potentially, it intimidates victims and provides an incentive to pay the requested ransom because it creates the idea that the troublesome situation is the work of a sophisticated actor, and the only way out of it is to meet their demands.

If Prometheus were operating a RaaS program, this alleged link with REvil would also help bring large numbers of hackers aboard, but they appear to act alone for now. Maybe they’ll open up later, when and if they’re ever ready.



NBCUniversal’s Streaming Platform ‘Peacock’ Is Landing on Amazon’s Fire TV Today

Users of Fire TV devices will finally be able to enjoy ‘Peacock’ content on their Amazon hardware.This has been requested warmly by...

Dell Fixes Multiple BIOS Vulnerabilities Affecting Millions of Its Computers

Tens of millions of Dell computers are vulnerable to arbitrary remote code execution flaws.The problem lies in BIOS components that come as...

Former Executives of French Spyware Firms ‘Nexa’ and ‘Amesys’ Indicted for Aiding Torture

Four former executives of two French spyware firms have been indicted in Paris for aiding torture in Africa.These people were determined to...