{
	"id": "ffcd0ce7-18ac-47af-a2a6-9a45c48780b7",
	"created_at": "2026-04-06T00:10:21.76307Z",
	"updated_at": "2026-04-10T03:19:58.938618Z",
	"deleted_at": null,
	"sha1_hash": "0d3dcb080e2471438d5078b2f45e199005a4af60",
	"title": "Prometheus Ransomware Decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 958092,
	"plain_text": "Prometheus Ransomware Decryptor\r\nBy CyCraft Technology Corp\r\nPublished: 2021-09-16 · Archived: 2026-04-05 12:44:57 UTC\r\nQuick How-to Guide\r\nWe provided a GUI version for windows users. All features are supported in the GUI version. If your\r\nprogramming skills aren’t developed to a mature level, please follow the steps below to decrypt your files:\r\n1. Choose a file or folder to decrypt.\r\n2. Choose the output file name or output folder.\r\n3. Select “Use thread” and fill in 2–4 for PC. (Threads usually make the decryption routine faster, but it\r\nactually depends on the number of your CPU cores)\r\n4. Click decrypt.\r\n5. There is a counter, which shows the current guessing tickcount.\r\n6. The decrypting result will show in the text block below. (There may be multiple possible keys, so the\r\ndecryption routine will continue to decrypt to find more possible keys. You can press “Next one” to skip\r\nthe current file.)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 1 of 9\n\nBrief History on Prometheus\r\nThe emerging ransomware group Prometheus made headlines last month with Unit42’s report. According to the\r\nreport, which had observed Prometheus for 4 months, victims of the emerging ransomware group total more than\r\n30 in multiple different countries, including the United States, the UK, and a dozen more countries in Asia,\r\nEurope, the Middle East, and South America.\r\nOrganizations targeted for attack by Prometheus included government agencies, financial services, manufacturing,\r\nlogistics, agriculture, healthcare services, insurance agencies, energy, consulting, law firms, and more.\r\nAlthough Prometheus claimed to be affiliated with REvil (the Russia-based ransomware group attributed to the\r\nattack on global meat supplier JBS that succeeded in acquiring an 11 million USD ransom, Prometheus’s code and\r\nbehavior are more similar to Thanos.\r\nBrief History on Thanos — The Possible Predecessor of Prometheus\r\nFirst observed in 2020, Thanos gained notoriety for its 43 different configuration options as well as being the first\r\nransomware to utilize the evasion technique know as RIPlace.\r\nRIPlace was introduced via a POC exploit in November 2019. Initially, RIPlace could bypass several ransomware\r\ndefense mechanisms, including AV and certain EDR solutions. It wasn’t until a few months later that RIPlace was\r\nseen in the wild.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLike other ransomware on the ransomware-as-a-service (RaaS) market, Thanos ransomware does appear to have\r\ncode overlaps with other ransomware, notably Hakbit; however, just like other ransomware, Thanos does come\r\nwith customization options and appears to still be under active development.\r\nUsage\r\nBuild\r\nmake win32 # windows 32 bits\r\nmake win64 # windows 64 bits\r\nmake linux # linux\r\nmake win32GUI # windows 32 bits GUI (built on windows)\r\nmake win64GUI # windows 64 bits GUI (build on windows)\r\nCommand Arguments\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 2 of 9\n\nUsage of ./bin/prometheus_decrypt:\r\n -b string\r\n Custom search with byte value. (i.e. \\xde\\xad\\xbe\\xef -\u003e deadbeef)\r\n Please use ?? to match any byte (i.e. de??beef)\r\n -c Use current tickcount. (only support in Windows)\r\n -e string\r\n Search file extension.\r\n -f int\r\n Found candidate. (default 1)\r\n -i string\r\n Input encrypted file.\r\n -k string\r\n Decrypt with this key.\r\n -m int\r\n Move backward m minutes from the current decrypted seed when guessing the next sample. (defau\r\n -o string\r\n Output decrypted file.\r\n -p int\r\n Use n thread. (default 1)\r\n -r Reversed tickcount.\r\n -s string\r\n Custom search with regular expression.\r\n -t int\r\n Start tickcount.\r\nBrute Force Random Seed\r\nBrute force the random seed of a png image from tickcount 0.\r\n./prometheus_decrypt -i ./sample/CyCraft.png.PROM\\[prometheushelp@mail.ch\\] -o ./output/CyCraft.png -\r\nIn this command, there are 4 arguments:\r\ni: input encrypted file\r\no: output file\r\ne: search file format\r\np: thread count\r\nReversed Tickcount\r\nBrute force the random seed of a png image from tickcount 100000 in reversed order.\r\n./prometheus_decrypt -i ./sample/CyCraft.png.PROM\\[prometheushelp@mail.ch\\] -o ./output/CyCraft.png -\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 3 of 9\n\nThere are 2 additional arguments:\r\nt: start from 100000\r\nr: reversed order (100000…0)\r\nBrute force from current tickcount (only for Windows)\r\nBrute force the random seed of a png image from the current tickcount in reversed order. This feature is usually\r\nused in reversed order.\r\n./prometheus_decrypt -i ./sample/CyCraft.png.PROM\\[prometheushelp@mail.ch\\] -o ./output/CyCraft.png -\r\nThere is an additional argument:\r\nc: start from the current tickcount\r\nDecrypt (Encrypt) with a key\r\nDecrypt (Encrypt) a file with a provided key.\r\n./prometheus_decrypt -i ./sample/CyCraft.png.PROM\\[prometheushelp@mail.ch\\] -o ./output/CyCraft.png -\r\nThere is an additional argument:\r\nk: provided key\r\nBrute force random seed with custom format (regular expression)\r\nBrute force the random seed of a text file with a known string “we had another great”.\r\n./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s \"we had another great\"\r\nThere is an additional argument:\r\ns: regular expression to match the decrypted file\r\nBrute force the random seed with custom format (bytes pattern)\r\nBrute force the random seed of a png file with its header in hex.\r\n./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -b '89??4e??0d??1a0a??00'\r\nThere is an additional argument:\r\nb: PNG header in hex format.\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 4 of 9\n\nThe full bytes are “8950 4e47 0d0a 1a0a 0000”.\r\nWe can use ?? to match any byte.\r\nCustom search with bytes pattern is much more convenient than regular expression since there are lots of file\r\nformat that it can’t be performed by visible characters.\r\nBrute force the random seed for a directory\r\nBrute force the random seed of a png file with its header in hex.\r\n./prometheus_decrypt -i ./sample -o ./output -p 16 -m 1 -f 2\r\nThere are two additional arguments:\r\nm: Move backward m minutes from the current decrypted seed when guessing the next sample. (default 30)\r\nUse seed-m*60*1000 as the start tickcount.\r\nf: Found candidate. (default 1)\r\nLimit the candidates found. There may be several candidates to a file, limit its candidates can save time.\r\nSince there are lots of files to decrypt, you can press Ctrl-c to skip the current guessing file.\r\nOutput\r\nSince we match the file with magic number, it might be matched even if a wrong key is provided. Therefore, we\r\nkeep the decryption process continued to guess. You can terminate it anytime if you find the correct decrypted file.\r\n% ./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s \"we had another great\"\r\n Decrypt file with seed 615750, key: +@[%T-mZSh+E[^^i{W:dpwnhdL4\u003cb8D4, path: ./output/615750_test.txt\r\n 2795306...\r\nSupported File Format\r\nWe match the magic number with https://github.com/h2non/filetype. Here is the file type we currently support:\r\nImage\r\njpg — image/jpeg\r\npng — image/png\r\ngif — image/gif\r\nwebp — image/webp\r\ncr2 — image/x-canon-cr2\r\ntif — image/tiff\r\nbmp — image/bmp\r\nheif — image/heif\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 5 of 9\n\njxr — image/vnd.ms-photo\r\npsd — image/vnd.adobe.photoshop\r\nico — image/vnd.microsoft.icon\r\ndwg — image/vnd.dwg\r\nVideo\r\nmp4 — video/mp4\r\nm4v — video/x-m4v\r\nmkv — video/x-matroska\r\nwebm — video/webm\r\nmov — video/quicktime\r\navi — video/x-msvideo\r\nwmv — video/x-ms-wmv\r\nmpg — video/mpeg\r\nflv — video/x-flv\r\n3gp — video/3gpp\r\nAudio\r\nmid — audio/midi\r\nmp3 — audio/mpeg\r\nm4a — audio/m4a\r\nogg — audio/ogg\r\nflac — audio/x-flac\r\nwav — audio/x-wav\r\namr — audio/amr\r\naac — audio/aac\r\nArchive\r\nepub — application/epub+zip\r\nzip — application/zip\r\ntar — application/x-tar\r\nrar — application/vnd.rar\r\ngz — application/gzip\r\nbz2 — application/x-bzip2\r\n7z — application/x-7z-compressed\r\nxz — application/x-xz\r\nzstd — application/zstd\r\npdf — application/pdf\r\nexe — application/vnd.microsoft.portable-executable\r\nswf — application/x-shockwave-flash\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 6 of 9\n\nrtf — application/rtf\r\niso — application/x-iso9660-image\r\neot — application/octet-stream\r\nps — application/postscript\r\nsqlite — application/vnd.sqlite3\r\nnes — application/x-nintendo-nes-rom\r\ncrx — application/x-google-chrome-extension\r\ncab — application/vnd.ms-cab-compressed\r\ndeb — application/vnd.debian.binary-package\r\nar — application/x-unix-archive\r\nZ — application/x-compress\r\nlz — application/x-lzip\r\nrpm — application/x-rpm\r\nelf — application/x-executable\r\ndcm — application/dicom\r\nDocuments\r\ndoc — application/msword\r\ndocx — application/vnd.openxmlformats-officedocument.wordprocessingml.document\r\nxls — application/vnd.ms-excel\r\nxlsx — application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\r\nppt — application/vnd.ms-powerpoint\r\npptx — application/vnd.openxmlformats-officedocument.presentationml.presentation\r\nFont\r\nwoff — application/font-woff\r\nwoff2 — application/font-woff\r\nttf — application/font-sfnt\r\notf — application/font-sfnt\r\nApplication\r\nwasm — application/wasm\r\ndex — application/vnd.android.dex\r\ndey — application/vnd.android.dey\r\nHow it Works\r\nPrometheus ransomware uses salsa20 with a tickcount-based random password for encryption. The size of the\r\nrandom password is 32 bytes, and every character is a visible character. Since the password uses tickcount as the\r\nkey, we can guess it brutally.\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 7 of 9\n\nEverything Starts From Security\r\nPrevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from\r\ninvestigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small,\r\nmedium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend\r\nfrom all manner of modern security threats with real-time protection and visibility across the organization.\r\nEngage with CyCraft\r\nBlog | LinkedIn | Twitter | Facebook | CyCraft\r\nPress enter or click to view image in full size\r\nCyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and\r\nfinancial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being\r\nFast / Accurate / Simple / Thorough.\r\nCyCraft powers SOCs using innovative AI-driven technology to automate information security protection with\r\nbuilt-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat\r\nintelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC)\r\noperations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise\r\nAssessment, CA), and Secure From Home services. Everything Starts From Security.\r\nMeet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com\r\nAdditional Resources\r\nRead our latest white paper to learn what threat actors target Taiwan, their motivations \u0026 how Taiwan\r\norganizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the\r\nworld.\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 8 of 9\n\nIs your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective\r\nSOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from\r\nGartner, Inc. on why Midsize enterprises are embracing MDR providers.\r\nNew to the MITRE Engenuity ATT\u0026CK Evaluations? START HERE for a fast, accurate, simple, thorough\r\nintroductory guide to understanding the results.\r\nOur CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration\r\nchanges and zero delayed detections straight out-of-the-box.\r\nSource: https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nhttps://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea"
	],
	"report_names": [
		"prometheus-decryptor-6933e7bac1ea"
	],
	"threat_actors": [],
	"ts_created_at": 1775434221,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d3dcb080e2471438d5078b2f45e199005a4af60.pdf",
		"text": "https://archive.orkl.eu/0d3dcb080e2471438d5078b2f45e199005a4af60.txt",
		"img": "https://archive.orkl.eu/0d3dcb080e2471438d5078b2f45e199005a4af60.jpg"
	}
}