{
	"id": "fa18309a-0a5d-465c-a702-41cbea9d08e8",
	"created_at": "2026-04-06T00:17:27.964411Z",
	"updated_at": "2026-04-10T03:20:30.508404Z",
	"deleted_at": null,
	"sha1_hash": "9865d9fd7f05daf34d718d617a1e95f6694153fb",
	"title": "Prometheus: New Ransomware Group Targets Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1509270,
	"plain_text": "Prometheus: New Ransomware Group Targets Organizations\r\nPublished: 2021-06-05 · Archived: 2026-04-05 20:21:36 UTC\r\nPrometheus: An Emerging Ransomware Group Using Thanos Ransomware to Target Organizations\r\nPrometheus: An Emerging Ransomware Group Using Thanos Ransomware to\r\nTarget Organizations\r\nDuring our regular threat hunting operations, the Cyble Research team found a blog on\r\nthe darkweb,  hosted by the Prometheus ransomware group. This blog is a clear indication of the fact that the\r\ngroup is back in action these days. \r\nIn the blog, the group has affiliated itself with the REvil ransomware group, as shown in Figure 1. \r\nFigure 1: Prometheus Blog \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 1 of 13\n\nBased on our research, Cyble researchers have found a sample of the Thanos ransomware being used by the\r\nPrometheus group for a recent ransomware attack. The technical analysis we have performed on the file has\r\nbeen shared below: \r\nTECHNICAL ANALYSIS:  \r\nThe Thanos ransomware is a 32-bit .NET executable file that is highly obfuscated. On decompiling it, we\r\nsaw that the file has non-readable codes that made it difficult to reverse the file. We used a de-obfuscation tool\r\nto read the contents of the file, but complete code was not de-obfuscated. While decompiling, we also found a data\r\nobject that contained a list of base64 encoded strings and several other plain strings. These strings helped us check\r\nthe possible activities performed by the ransomware.  \r\nFigure 2 shows the list of base64 encoded strings. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 2 of 13\n\nFigure 2: Base64 Encoded Strings \r\nApart from the base64 encoded strings, the modified Thanos ransomware sample contained additional interesting\r\nstrings related to document file extensions, link file name for persistence, system information, and extensions\r\nof various database files. On running the program, we found that only document files and database file extensions\r\nare being encrypted by the ransomware. Figure 3 shows the additional types and extracted information for\r\nselecting filetypes for encryption. \r\nFigure 3: Strings Used for Selecting File Types. \r\nAfter finding the base64 encoded strings we de-obfuscated them and observed that the strings were enumerated by\r\nthe ransomware at the runtime to check the running processes, as shown in figure 4. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 3 of 13\n\nFigure 4: Processes Enumerated by the Ransomware \r\nOur observations also indicated that the ransomware started and stopped various services and programs after\r\nenumerating the processes. The services started are described in following table: \r\nServices  Description \r\nDnscache  Used for client-side DNS resolution for faster DNS query. \r\nFDRsePub  Makes computer and resources visible in the network. \r\nSSDPSRV  Discovers networked devices. \r\nupnphost  Discovering universal plug and play devices. \r\n Table: Services Started by the Ransomware \r\nThe services started and stopped by the Prometheus ransomware are shown in Figure 5. The first 4 services are\r\nstarted by the ransomware, while the remaining are stopped. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 4 of 13\n\nFigure 5: Services Started and Stopped by the Ransomware. \r\nThe ransomware stops several services that are critical for various purposes. This\r\nincludes antivirus, system backup and restoring, database backup and restoring, and reporting tools. The purpose\r\nbehind stopping the services is to block the backup and restoring operations, which has the potential to facilitate\r\nthe data recovery in future. Figure 6 shows additional services which are terminated. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 5 of 13\n\nFigure 6: Additional Services Stopped \r\nIn addition to starting and stopping services, the Thanos ransomware also uses SC (Service Control) command to\r\npermanently change service configuration. Figure 7 shows the parameters passed to SC to permanently change\r\nshared network and device services. \r\nFigure 7: SC Changing configuration. \r\nThe ransomware also terminates multiple processes running in the system for faster operation using taskkill.exe.\r\nAs these programs are resource intensive and can lock the flies targeted by the ransomware. Some of these\r\nprograms are excel.exe, steam.exe, sqlwriter.exe, thunderbird .exe, and msaccess.exe etc. The list of targeted\r\nprograms is listed in Figure 8. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 6 of 13\n\nFigure 8: Processes Terminated by taskkill.exe. \r\nThis variant of the Thanos ransomware checks for various security tools used by malware researchers for\r\nreversing the malware. These tools are listed below. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 7 of 13\n\nFigure 9: List of Security Tools \r\nThe Thanos ransomware uses an interesting technique for obfuscation. At runtime, it loads the reversed base64\r\nencoded string containing the registry information, as shown in Figure 10. \r\nFigure 10: Obfuscation Used by the Ransomware \r\nFor network operations, the ransomware changes the Firewall rules to open various ports and allows outbound\r\nconnection from other systems.  \r\nFigure 11 shows the registry entries for allowing inbound connections on various ports. \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 8 of 13\n\nFigure 11: Firewall Entries Edited. \r\nThe ransomware starts encryption after stopping all the backup and restoring services, disabling security\r\nsoftware, and changing the network state. The modified sample of the Thanos ransomware uses the AES\r\nencryption technique, and after encrypting files, it appends a custom extension that is unique for every malware\r\nfile, unlike most other ransomware that typically append extensions based on the system. Figure 12 shows the\r\nencrypted files with the extension. \r\nFigure 12: Encrypted Files \r\nWhile encrypting the files, the ransomware drops the ransom file containing the ransom note in hta and text\r\nformat. Figures 13 and 14 show the dropped files and the ransom note. \r\nFigure 13: Dropping Ransom Note \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 9 of 13\n\nFigure 14: Ransomware Note \r\n It is evident that more ransomware groups will emerge in the near future. Most of the time these groups use\r\nexisting ransomware with slight modifications for evading detections. We recommend these best practices\r\nfor ensuring the security of sensitive data in order to mitigate losses from ransomware attacks.   \r\nIndicators of Compromise (IoC): \r\nHere’s the list of sha256 of the files related to the recent Thanos ransomware attacks: \r\nSha256 \r\n779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc   \r\na787997af509035b1e84f3cde7f8d62c1e02e8cc368fb95402783a0ed50f33f8   \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 10 of 13\n\n3605b9af44b153ef39a5bbe6d98ab8e6ef58b1f0f1c76eca4a3fb9b9a4042605   \r\nc2a01ef5115f2d41dffa1b1a697d1d05b2b9532a70552473aab36d8e4dda7928   \r\nd662580e70711ba15f0bc65096a2298801ee7bc373ced3eb59582a637aeeb5fd   \r\ne9388ca092c87f310a159e03d3dd97b3ce79cd6cc642a7f3b057d0fa3dcde42c   \r\n5c66963cf7d417ffe475afdf18906df5c6dcd8dbbb1462918f197323dabb6f19   \r\ne15f9169021b5e11381547d57a952b98e06f6366161d56083ff9be69fc43e9bf   \r\nfdf8c15f27cfbf534cbc9771e3d4e42632a5993bb4b08f444111147ec540e273   \r\nc76825aeaa7960e44bda9786efbcbb6e7865ef9f27fa6931e566aa44d88ad9cd   \r\n27ba35dbeb5324bd780ae6a95c5aae93fcb47c5aa8f48b1c21f83000a55de2da   \r\n785fdf2e6765a7b8870bd0b40d3e944536315604babfe30a7ca3466c02e411fe   \r\n779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc   \r\n2eb10ec6fa0d6d3f02a362ad5cbd55da6df47d23cfbacc3bc5a549e761cef7c8   \r\nb6f774f46949d54a060dabf2d7d08eef9fd390091f419ce1a2b555bcd58b2d32   \r\ne56cbdd422dda00fe75d80d0491195a3c42bade324ffebd913dcab29f741b9f6   \r\n0033c6e1db4b59f95b5261ecef244981e068c765f32616b26e23eddf99986454   \r\ne5211ef62f023a71cd5aa493f788198c2b97d6f79854f6e5f399893430e5ad0e   \r\nef97bf49a9bd00a994143852590cc3a2d20227e510dc2b5968704d8f100b4d3c   \r\n8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7   \r\n9d9897d274e7a9ba3037d450dc6833c679e9ef8d125bd9d8b0329213df45b9e3   \r\n9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b   \r\nba6fbc352cc9a89771ca33901729dff8d1181a76f711ab74a61fb35df3bf8a19   \r\n1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554   \r\n1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb   \r\n48be948c3345e8c8b10c612a88eeee6bd1bf8af076092cf88268a268e889e698   \r\n1136907e76399f1d76694ee9c540b387ed6a5b12340b60f3fabfc183bca457df   \r\n714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409   \r\na0e20c580e8a82f4103af90d290f762bd847fadd4eba1f5cd90e465bb9f810b7   \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 11 of 13\n\ne1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3   \r\n20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5   \r\naa3e530d4567c1511126029fac0562ba8aa4ead0a01aceea169ade3e38a37ea7   \r\n83e2ba9faf075547be65d2b6dbd13e190a0b1c1cf626788cb756ab7a3c770dcb   \r\n4e747c7024d9a76e22a31d38aee9408749023fc65b917c6d9ac05dd3afc3f36f \r\n9e573ba20b55f6149d801491c0ebb51c9f1c954b956a2f6cea6f18af68f0164b   \r\n6e016c4d1db409b5e499289f31bcb6b87b5c46b29d4fcba4a50a7b68d733b93e   \r\n8b55f596d8179b043f050f42bc7c079d07be918fe321805aff1a00f88dd8f06d   \r\nb9acf82471bc22c7ce444684759d7506d407286989141028a2621a0b0f535094   \r\nea55c78b15e2045f26ea39db122acb9a5cca84ba97625f444054f3efa331b386   \r\n113230f881d7008fad3d62e34ce79f1b9273f604303f1b5c1450cff6481655de   \r\na88db6dc88a37a79056f466c6e0878569715409c5387be4947789cc924a97b92   \r\n3caa5163083177d40dd9ec2c3b84d0b37c82e2ee9807a50338af89f132a354d9   \r\n5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d   \r\n0cfed709f1954141a3c5a363e4e95d7e5b546ef310cfb9a63f0ca20ccc6ed152   \r\n2033194ab3c2602eb9d3b31eeb5432514c423eac213f1219e5865dfee371ed58   \r\na5a544ef213bc2e02937fa7e0967a4b6ba926b9f5b3485dd108e232521155bf7   \r\n5fb35d559259cd85537265346901bb52083090489266608cef0a1c85de214aed   \r\nad6b792c1e886156cd81586205a81aa92b9f256bd57cbcc527d194ae3f1b53d0   \r\n52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3   \r\n899f48bad035165acf8869af63922619f8a901bbeb8a7fc13919ba90dd9e7768   \r\n2d3d1b83067859ebb118ff1a99ac098806b65f566df094fad9a4debef4da911d   \r\nf4773540eb06fbde9a23f03424b3722999d0e6efabf5009c94c1bb0911626ada   \r\nb3b1cfa71b1cc572dace69e0996d537f41632ec4bab5b1f376d66aa765928b5f   \r\n67c29db79904510822a97c5e887606676c5cf77f5c31d60420d1d0ce9403daa3   \r\n8d268be58a27d2c980b807ffe703ea28b0fd0cd1ba2e455902faebe9ec17c52e   \r\nd7f7ea6cb92e1f01e815007fdcdf2455680e739077aff7e3eaf51311cf3388a5   \r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 12 of 13\n\n5eedadeabe3b12131cdbc04c7af3927bd3d09add1d0725bce5db024d5102fb96   \r\n02665fcf9c0ddfb2cd3e04d254f60c5a4453947f7c3df5480316a040c0c8686f   \r\nOrganizations should implement the following best practices to strengthen the security posture of their\r\norganization’s systems.   \r\nCheck for instances of standard executables executing with the hash of another process. \r\nImplement multi-factor authentication (MFA), especially for privileged accounts. \r\nUse separate administrative accounts on different administration workstations.   \r\nEmploy Local Administrator Password Solution (LAPS).   \r\nAllow the least privilege to employees on data access.   \r\nUse MFA to secure Remote Desktop Protocol (RDP) and ”jump boxes” for access.   \r\nSecure your endpoints by deploying and maintaining endpoint defense tools.   \r\nAlways keep all software up-to-date.   \r\nKeep antivirus signatures and engines up-to-date.   \r\nAvoid adding users to the local administrators’ group unless required.   \r\nImplement a strong password policy and enforce regular password changes.   \r\nConfigure a personal firewall on organization workstations to deny unwanted connection requests. \r\nDeactivate unnecessary services on organization workstations and servers. \r\nAbout Cyble   \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from\r\ncybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility\r\ninto their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been\r\nrecognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered\r\nin Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn\r\nmore about Cyble, visit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nhttps://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/"
	],
	"report_names": [
		"prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434647,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9865d9fd7f05daf34d718d617a1e95f6694153fb.pdf",
		"text": "https://archive.orkl.eu/9865d9fd7f05daf34d718d617a1e95f6694153fb.txt",
		"img": "https://archive.orkl.eu/9865d9fd7f05daf34d718d617a1e95f6694153fb.jpg"
	}
}