Prometheus Ransomware Decryptor
By CyCraft Technology Corp
Published: 2021-09-16 · Archived: 2026-04-05 12:44:57 UTC
Quick How-to Guide
We provided a GUI version for windows users. All features are supported in the GUI version. If your
programming skills aren’t developed to a mature level, please follow the steps below to decrypt your files:
1. Choose a file or folder to decrypt.
2. Choose the output file name or output folder.
3. Select “Use thread” and fill in 2–4 for PC. (Threads usually make the decryption routine faster, but it
actually depends on the number of your CPU cores)
4. Click decrypt.
5. There is a counter, which shows the current guessing tickcount.
6. The decrypting result will show in the text block below. (There may be multiple possible keys, so the
decryption routine will continue to decrypt to find more possible keys. You can press “Next one” to skip
the current file.)
Press enter or click to view image in full size
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 1 of 9

Brief History on Prometheus
The emerging ransomware group Prometheus made headlines last month with Unit42’s report. According to the
report, which had observed Prometheus for 4 months, victims of the emerging ransomware group total more than
30 in multiple different countries, including the United States, the UK, and a dozen more countries in Asia,
Europe, the Middle East, and South America.
Organizations targeted for attack by Prometheus included government agencies, financial services, manufacturing,
logistics, agriculture, healthcare services, insurance agencies, energy, consulting, law firms, and more.
Although Prometheus claimed to be affiliated with REvil (the Russia-based ransomware group attributed to the
attack on global meat supplier JBS that succeeded in acquiring an 11 million USD ransom, Prometheus’s code and
behavior are more similar to Thanos.
Brief History on Thanos — The Possible Predecessor of Prometheus
First observed in 2020, Thanos gained notoriety for its 43 different configuration options as well as being the first
ransomware to utilize the evasion technique know as RIPlace.
RIPlace was introduced via a POC exploit in November 2019. Initially, RIPlace could bypass several ransomware
defense mechanisms, including AV and certain EDR solutions. It wasn’t until a few months later that RIPlace was
seen in the wild.
Get CyCraft Technology Corp’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Like other ransomware on the ransomware-as-a-service (RaaS) market, Thanos ransomware does appear to have
code overlaps with other ransomware, notably Hakbit; however, just like other ransomware, Thanos does come
with customization options and appears to still be under active development.
Usage
Build
make win32 # windows 32 bits
make win64 # windows 64 bits
make linux # linux
make win32GUI # windows 32 bits GUI (built on windows)
make win64GUI # windows 64 bits GUI (build on windows)
Command Arguments
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 2 of 9

Usage of ./bin/prometheus_decrypt:
 -b string
 Custom search with byte value. (i.e. \xde\xad\xbe\xef -> deadbeef)
 Please use ?? to match any byte (i.e. de??beef)
 -c Use current tickcount. (only support in Windows)
 -e string
 Search file extension.
 -f int
 Found candidate. (default 1)
 -i string
 Input encrypted file.
 -k string
 Decrypt with this key.
 -m int
 Move backward m minutes from the current decrypted seed when guessing the next sample. (defau
 -o string
 Output decrypted file.
 -p int
 Use n thread. (default 1)
 -r Reversed tickcount.
 -s string
 Custom search with regular expression.
 -t int
 Start tickcount.
Brute Force Random Seed
Brute force the random seed of a png image from tickcount 0.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -
In this command, there are 4 arguments:
i: input encrypted file
o: output file
e: search file format
p: thread count
Reversed Tickcount
Brute force the random seed of a png image from tickcount 100000 in reversed order.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 3 of 9

There are 2 additional arguments:
t: start from 100000
r: reversed order (100000…0)
Brute force from current tickcount (only for Windows)
Brute force the random seed of a png image from the current tickcount in reversed order. This feature is usually
used in reversed order.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -
There is an additional argument:
c: start from the current tickcount
Decrypt (Encrypt) with a key
Decrypt (Encrypt) a file with a provided key.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -
There is an additional argument:
k: provided key
Brute force random seed with custom format (regular expression)
Brute force the random seed of a text file with a known string “we had another great”.
./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"
There is an additional argument:
s: regular expression to match the decrypted file
Brute force the random seed with custom format (bytes pattern)
Brute force the random seed of a png file with its header in hex.
./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -b '89??4e??0d??1a0a??00'
There is an additional argument:
b: PNG header in hex format.
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 4 of 9

The full bytes are “8950 4e47 0d0a 1a0a 0000”.
We can use ?? to match any byte.
Custom search with bytes pattern is much more convenient than regular expression since there are lots of file
format that it can’t be performed by visible characters.
Brute force the random seed for a directory
Brute force the random seed of a png file with its header in hex.
./prometheus_decrypt -i ./sample -o ./output -p 16 -m 1 -f 2
There are two additional arguments:
m: Move backward m minutes from the current decrypted seed when guessing the next sample. (default 30)
Use seed-m*60*1000 as the start tickcount.
f: Found candidate. (default 1)
Limit the candidates found. There may be several candidates to a file, limit its candidates can save time.
Since there are lots of files to decrypt, you can press Ctrl-c to skip the current guessing file.
Output
Since we match the file with magic number, it might be matched even if a wrong key is provided. Therefore, we
keep the decryption process continued to guess. You can terminate it anytime if you find the correct decrypted file.
% ./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"
 Decrypt file with seed 615750, key: +@[%T-mZSh+E[^^i{W:dpwnhdL4<b8D4, path: ./output/615750_test.txt
 2795306...
Supported File Format
We match the magic number with https://github.com/h2non/filetype. Here is the file type we currently support:
Image
jpg — image/jpeg
png — image/png
gif — image/gif
webp — image/webp
cr2 — image/x-canon-cr2
tif — image/tiff
bmp — image/bmp
heif — image/heif
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 5 of 9

jxr — image/vnd.ms-photo
psd — image/vnd.adobe.photoshop
ico — image/vnd.microsoft.icon
dwg — image/vnd.dwg
Video
mp4 — video/mp4
m4v — video/x-m4v
mkv — video/x-matroska
webm — video/webm
mov — video/quicktime
avi — video/x-msvideo
wmv — video/x-ms-wmv
mpg — video/mpeg
flv — video/x-flv
3gp — video/3gpp
Audio
mid — audio/midi
mp3 — audio/mpeg
m4a — audio/m4a
ogg — audio/ogg
flac — audio/x-flac
wav — audio/x-wav
amr — audio/amr
aac — audio/aac
Archive
epub — application/epub+zip
zip — application/zip
tar — application/x-tar
rar — application/vnd.rar
gz — application/gzip
bz2 — application/x-bzip2
7z — application/x-7z-compressed
xz — application/x-xz
zstd — application/zstd
pdf — application/pdf
exe — application/vnd.microsoft.portable-executable
swf — application/x-shockwave-flash
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 6 of 9

rtf — application/rtf
iso — application/x-iso9660-image
eot — application/octet-stream
ps — application/postscript
sqlite — application/vnd.sqlite3
nes — application/x-nintendo-nes-rom
crx — application/x-google-chrome-extension
cab — application/vnd.ms-cab-compressed
deb — application/vnd.debian.binary-package
ar — application/x-unix-archive
Z — application/x-compress
lz — application/x-lzip
rpm — application/x-rpm
elf — application/x-executable
dcm — application/dicom
Documents
doc — application/msword
docx — application/vnd.openxmlformats-officedocument.wordprocessingml.document
xls — application/vnd.ms-excel
xlsx — application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ppt — application/vnd.ms-powerpoint
pptx — application/vnd.openxmlformats-officedocument.presentationml.presentation
Font
woff — application/font-woff
woff2 — application/font-woff
ttf — application/font-sfnt
otf — application/font-sfnt
Application
wasm — application/wasm
dex — application/vnd.android.dex
dey — application/vnd.android.dey
How it Works
Prometheus ransomware uses salsa20 with a tickcount-based random password for encryption. The size of the
random password is 32 bytes, and every character is a visible character. Since the password uses tickcount as the
key, we can guess it brutally.
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 7 of 9

Everything Starts From Security
Prevent cyber intrusions from escalating into business-altering incidents. From endpoint to network, from
investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to provide small,
medium, and large organizations with the proactive, intelligent, and adaptable security solutions needed to defend
from all manner of modern security threats with real-time protection and visibility across the organization.
Engage with CyCraft
Blog | LinkedIn | Twitter | Facebook | CyCraft
Press enter or click to view image in full size
CyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and
financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being
Fast / Accurate / Simple / Thorough.
CyCraft powers SOCs using innovative AI-driven technology to automate information security protection with
built-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat
intelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC)
operations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise
Assessment, CA), and Secure From Home services. Everything Starts From Security.
Meet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com
Additional Resources
Read our latest white paper to learn what threat actors target Taiwan, their motivations & how Taiwan
organizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the
world.
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 8 of 9

Is your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective
SOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from
Gartner, Inc. on why Midsize enterprises are embracing MDR providers.
New to the MITRE Engenuity ATT&CK Evaluations? START HERE for a fast, accurate, simple, thorough
introductory guide to understanding the results.
Our CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration
changes and zero delayed detections straight out-of-the-box.
Source: https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
Page 9 of 9