{
	"id": "c1851ab7-a3a8-4361-9bbc-f457dba00305",
	"created_at": "2026-04-06T00:12:13.54401Z",
	"updated_at": "2026-04-10T13:12:52.321635Z",
	"deleted_at": null,
	"sha1_hash": "7fe18d988b8495392d6af85e21106c2b3c319865",
	"title": "Prometheus x Spook: Prometheus ransomware rebranded Spook ransomware.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 892314,
	"plain_text": "Prometheus x Spook: Prometheus ransomware rebranded Spook\r\nransomware.\r\nBy S2W\r\nPublished: 2021-10-05 · Archived: 2026-04-05 23:46:39 UTC\r\n3 min read\r\nOct 5, 2021\r\nS2W TALON\r\nPress enter or click to view image in full size\r\nCompared the victim page between Prometheus x Spook\r\nExecutive Summary\r\nSpook ransomware started on September 26th, 2021.\r\nThe double extortion site of Spook ransomware is similar to the double extortion site of Prometheus\r\nransomware.\r\nSpook ransomware is very similar to Prometheus ransomware with ransom notes and websites. Hence\r\nPrometheus ransomware was rebranded to Spook ransomware and still using Thanos Builder.\r\nDetailed analysis\r\n1. Prometheus ransomware was rebranded to Spook ransomware.\r\n1–1. Prometheus ransomware was last updated on July 13th, 2021.\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 1 of 6\n\nThe double extortion site operated by Prometheus last updated the information of infected victim\r\ncompanies on July 13th, 2021.\r\nThe double extortion site operated by Prometheus is not working now. Hence Prometheus\r\nransomware stopped the activities on now.\r\nPress enter or click to view image in full size\r\nThe double extortion site operated by Prometheus ransomware\r\n1–2. Spook ransomware started on September 26th, 2021.\r\nSpook ransomware published the information of infected victim companies starts on September 26th,\r\n2021.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 2 of 6\n\nThe double extortion site operated by Spook ransomware\r\n2. Prometheus x Spook: Spook ransomware same as Prometheus ransomware.\r\nThe ransom note, the negotiation page, the files, and the resources on the double extortion site of Spook\r\nransomware are similar to Prometheus ransomware.\r\n2–1. The ransom note of Spook ransomware is similar to the ransom note of\r\nPrometheus ransomware.\r\nKey Identifier is the signature method of Thanos builder. When the user created the ransomware using\r\nThanos builder, we can check the signature of “Key Identifier” on the ransom note. Based on this\r\nsignature, we have confirmed the fact that Prometheus ransomware and Spook ransomware were generated\r\nby Thanos builder.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 3 of 6\n\nCompared the ransom note between Prometheus x Spook\r\n2–2. The negotiation page of Spook ransomware is similar to the ransom note of\r\nPrometheus ransomware.\r\nPress enter or click to view image in full size\r\nCompared the negotiation page between Prometheus x Spook\r\n2–3. The files and resources related to victims are located on the same path.\r\nFiles\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 4 of 6\n\nRemember me for faster sign in\r\nSpook ransomware: http://spookuhv****.onion/blog/wp-content/uploads/2021/05/1-15.png\r\nPrometheus ransomware: http://promethw****.onion/blog/wp-content/uploads/2021/05/1-15.png\r\nIn this path, the webserver has the files of victims infected by Prometheus ransomware. Hence they are\r\noperating the same web server for the double extortion site.\r\nResources\r\nPress enter or click to view image in full size\r\nCompared the victim page between Prometheus x Spook\r\n1. All posts published the same string “For sale company data: {the name of victim}”.\r\n2. Show the status of negotiation with victims through the field of “Status”.\r\n3. Move the posts using the tabs PREVIOUS, NEXT\r\nConclusion\r\nSpook ransomware was rebranded Prometheus ransomware. They derived from Thanos and using similar\r\nUI \u0026 resources to Prometheus ransomware.\r\nPrometheus ransomware and Spook ransomware are the same ransomware attack group through the same\r\nstring and the resources on the double extortion site.\r\nHomepage:https://www.s2w.inc\r\nFacebook: https://www.facebook.com/S2W\r\nTwitter: https://twitter.com/S2W_Official\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 5 of 6\n\nSource: https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nhttps://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd"
	],
	"report_names": [
		"prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd"
	],
	"threat_actors": [],
	"ts_created_at": 1775434333,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7fe18d988b8495392d6af85e21106c2b3c319865.pdf",
		"text": "https://archive.orkl.eu/7fe18d988b8495392d6af85e21106c2b3c319865.txt",
		"img": "https://archive.orkl.eu/7fe18d988b8495392d6af85e21106c2b3c319865.jpg"
	}
}