{
	"id": "bf23a94c-69c3-4dab-bbac-7f7e7e3c8c88",
	"created_at": "2026-04-06T00:21:13.054433Z",
	"updated_at": "2026-04-10T13:12:25.086848Z",
	"deleted_at": null,
	"sha1_hash": "5d34a18a657e1c3ad567fc860e5b1554be66741f",
	"title": "Spook Ransomware | Prometheus Derivative Names Those That Pay, Shames Those That Don’t",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2733490,
	"plain_text": "Spook Ransomware | Prometheus Derivative Names Those That\r\nPay, Shames Those That Don’t\r\nBy Jim Walter\r\nPublished: 2021-10-28 · Archived: 2026-04-05 22:20:06 UTC\r\nBy Jim Walter and Niranjan Jayanand\r\nExecutive Summary\r\nSpook Ransomware is an emerging player first seen in late September 2021\r\nThe operators publish details of all victims regardless of whether they pay or not\r\nTargets range across several industries with an emphasis on manufacturing\r\nAnalysis shows a significant degree of code sharing between Spook and the Prometheus and Thanos\r\nransomware families\r\nOverview\r\nSpook ransomware emerged onto the scene in late September 2021 and follows the multi-pronged extortion model\r\nthat is all too common these days. Victims are hit with the threat of data destruction as well as public data leakage\r\nand the associated fallout. In this report, we explore how the malware shares certain similarities with earlier\r\nransomware families, and describe its main encryption and execution behaviour.\r\nSpook and Prometheus\r\nThere is some indication that Spook is either linked to, or derived from, Prometheus ransomware. Prometheus is\r\nitself an evolution of Thanos ransomware. However, it is important to note that since Thanos ransomware had a\r\nbuilder which was leaked, any real attempts at attribution based solely on the malware’s code is somewhat futile.\r\nEven so, there are a few notable similarities between Spook, Prometheus, and ultimately Thanos.\r\nThe .NET binary in the following sample, first seen in VirusTotal on 02 October, provides a glimpse into some of\r\nthese similarities, with artifacts from the Thanos builder also apparent.\r\na63a5de26582af1438c9886cfb15c4baa08cce2e\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 1 of 11\n\nShared code block with Thanos\r\nOur analysis suggests that there is an overlap of between 29-50% of shared code between Spook and Prometheus.\r\nSome of this overlap is related to construction of the ransom notes and key identifiers.\r\nRansom note similarity example (Prometheus vs Spook)\r\nIn addition to shared code artifacts, there are similarities with regards to the layout and structure of the Spook and\r\nPrometheus payment portals.\r\nBelow are the similarities between the leak data URLs hosted by both the groups\r\nSpook ransomware:\r\nhxxp[:]//spookuhv****.onion/blog/wp-content/uploads/2021/05/1-15.png\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 2 of 11\n\nPrometheus ransomware:\r\nhxxp[:]//promethw****.onion/blog/wp-content/uploads/2021/05/1-15.png\r\nOffline Encryption and Process Manipulation\r\nSpook, mirroring the manifestos of others, boasts “very strong (AES) encryption” along with the threat of leaking\r\nvictim data to the public. The malware has the ability to encrypt target machines without requiring internet\r\nconnectivity. Encryption of a full disk can occur within just a few minutes, at which point the ransom note is\r\ndisplayed on the desktop ( RESTORE_FILES_INFO.HTA ) along with numerous other system notifications.\r\nThe malware also makes a number of changes to ensure that the ransom notifications are displayed prominently\r\nafter reboot (via Start Menu lnk, Reg).\r\nWinLogon is modified (via registry) to display the Ransom Note text upon login:\r\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nStr Value: LegalNoticeCaption/Text\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 3 of 11\n\nRegistry Modifications for Persistence\r\nRansom notes are also displayed upon login via a Shortcut placed in the Startup directory\r\nStartup Folder Shortcut\r\nIn addition, Spook will attempt to terminate processes and stop services of anything that may inhibit the\r\nencryption process.\r\nHere again there is overlap between Spook, Prometheus, and Thanos with regards to process discovery and\r\nmanipulation, especially with regards to checking for and killing the Raccine anti-ransomware process that some\r\norganizations deploy in an effort to protect shadow copies.\r\nTASKILL.EXE is used to force the termination of the following processes if found:\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 4 of 11\n\nagntsvc.exe\r\nCNTAoSMgr.exe\r\ndbeng50.exe\r\ndbsnmp.exe\r\nencsvc.exe\r\nexcel.exe\r\nfirefoxconfig.exe\r\nhunderbird.exe\r\ninfopath.exe\r\nisqlplussvc.exe\r\nmbamtray.exe\r\nmsaccess.exe\r\nmsftesql.exe\r\nmydesktopqos.exe\r\nmydesktopservice.exe\r\nmysqld-nt.exe\r\nMysqld-opt.exe\r\nMspub.exe\r\nmysqld.exe\r\nNtrtscan.exe\r\nocautoupds.exe\r\nocomm.exe\r\nocssd.exe\r\nonenote.exe\r\noracle.exe\r\noutlook.exe\r\nPccNTMon.exe\r\nPowerpnt.exe\r\nRaccineSettings.exe\r\nsqbcoreservice.exe\r\nsqlagent.exe\r\nsqlbrowser.exe\r\nsqlservr.exe\r\nSqlwriter.exe\r\nsynctime.exe\r\nsteam.exe\r\ntbirdconfig.exe\r\nthebat.exe\r\nthebat64.exe\r\ntmlisten.exe\r\nvisio.exe\r\nwinword.exe\r\nwordpad.exe\r\nxfssvccon.exe\r\nzoolz.exe\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 5 of 11\n\ntaskkill.exe /IM ocomm.exe /F\r\nThe Raccine product is specifically targeted with regards to disabling the products’ UI components and update\r\nfeatures. These are carried out via basic OS commands such as reg.exe and schtasks.exe .\r\ntaskkill.exe /F /IM RaccineSettings.exe\r\nreg.exe (CLI interpreter) delete \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Rac\r\nreg.exe (CLI interpreter) delete HKCU\\Software\\Raccine /F\r\nschtasks.exe (CLI interpreter) /DELETE /TN \"Raccine Rules Updater\" /F\r\nIn addition, sc.exe is used to disable specific services and components:\r\nsc.exe config Dnscache start= auto\r\nsc.exe config SQLTELEMETRY start= disabled\r\nsc.exe config FDResPub start= auto\r\nsc.exe config SSDPSRV start= auto\r\nsc.exe config SQLTELEMETRY$ECWDB2 start= disabled\r\nsc.exe config SstpSvc start= disabled\r\nsc.exe config upnphost start= auto\r\nsc.exe config SQLWriter start= disabled\r\nWith various processes out of the way and the system in an optimal state for encryption, the malware proceeds to\r\nenumerate local files and folders, along with accessible network resources.\r\nGiven the Thanos pedigree, specifics around encryption can vary. The samples analyzed employ a random string\r\nat runtime as the passphrase for file encryption (AES). The string is subsequently encrypted with the attacker’s\r\npublic key and added into the generated ransom note(s). Recovery of encrypted data is, therefore, not possible\r\nwithout the corresponding private key.\r\nRansom Payment and Victimology\r\nUpon infection, victims are instructed to proceed to Spook’s TOR-based payment portal.\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 6 of 11\n\nSpook Ransom Demand\r\nAt the payment portal, the victim is able to interact with the attackers via chat to negotiate payment.\r\nSpook Payment Portal\r\nSpook has been leveraging attacks against high-value targets across the globe, with little to no discretion with\r\nregards to industry. Looking at the current cross-section of victims posted on the group’s web site, however, the\r\nmajority are in the manufacturing sector.\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 7 of 11\n\nThe public blog went live in early October 2021. At the time of writing, there are 17 victims posted on the Spook\r\nsite.\r\nSome of the victims named on the Spook blog site\r\nSpook actually lists all attacked companies, regardless of whether or not they pay the ransom demand. Those\r\nvictims that pay have their entry updated to indicate that the company’s data is ‘not for sale’. Those that have not\r\npaid are listed as having data that is “For Sale”, while some victim entries, presumably the most recent or those\r\nthat are in the process of negotiating, are listed as “Company Decides”.\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 8 of 11\n\nConclusion\r\nAs these attacks continue to escalate and become more egregious, the need for true attack prevention is all the\r\nmore critical. Spook’s tactic of public outing victims even if they pay threatens reputational harm to any\r\ncompromised company, even if they follow the attackers’ payment demands.\r\nThis only continues to illustrate the importance of preventing attacks in the first place. Ransomware operators\r\nhave moved beyond worrying about companies detecting after-the-fact and attempting to recover encrypted data.\r\nIndicators of Compromise\r\nSHA256\r\n8dad29bd09870ab9cacfdea9e7ab100d217ff128aea64fa4cac752362459991c\r\ne347fd231a543a5dfd53b01ff0bc67b2bf37593e7ddc036f15bac8ad92f0d707\r\nd991aa2b1fad608b567be28e2d13d3d4f48eea3dea8f5d51a8e42aa9a2637426\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 9 of 11\n\nSHA1\r\na63a5de26582af1438c9886cfb15c4baa08cce2e\r\nbfd0ab7eec4b282cc5689a48e8f438d042c9d98f\r\ne2b098d36e51d2b7405fadbd578cf9774433f85a\r\nMITRE ATT\u0026CK\r\nTA0005 – Defense Evasion\r\nT1486 – Data Encrypted for Impact\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nT1112 – Modify Registry\r\nTA0010 – Exfiltration\r\nT1018 – Remote System Discovery\r\nT1082 – System Information Discovery\r\nT1547.004 – Boot or Logon Autostart Execution: Winlogon Helper DLL\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 10 of 11\n\nSpook Ransom Note Sample\r\nSource: https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nhttps://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/"
	],
	"report_names": [
		"spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont"
	],
	"threat_actors": [],
	"ts_created_at": 1775434873,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d34a18a657e1c3ad567fc860e5b1554be66741f.pdf",
		"text": "https://archive.orkl.eu/5d34a18a657e1c3ad567fc860e5b1554be66741f.txt",
		"img": "https://archive.orkl.eu/5d34a18a657e1c3ad567fc860e5b1554be66741f.jpg"
	}
}