{
	"id": "85c8bce4-4593-4eac-a06a-ae7554bca3fe",
	"created_at": "2026-04-06T00:13:10.38112Z",
	"updated_at": "2026-04-10T03:20:48.241125Z",
	"deleted_at": null,
	"sha1_hash": "d808196bb111e6c9c5cb91fa8b39744cfb5260b6",
	"title": "Prometheus Ransomware Gang: A Group of REvil?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 775480,
	"plain_text": "Prometheus Ransomware Gang: A Group of REvil?\r\nBy Doel Santos\r\nPublished: 2021-06-09 · Archived: 2026-04-05 20:43:29 UTC\r\nExecutive Summary\r\nUnit 42 has spent the past four months following the activities of Prometheus, a new player in the ransomware\r\nworld that uses similar malware and tactics to ransomware veteran Thanos.\r\nPrometheus leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen\r\ndata available for purchase. It claims to have breached 30 organizations in government, financial services,\r\nmanufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in\r\nthe United States, United Kingdom and a dozen more countries in Asia, Europe, the Middle East and South\r\nAmerica.\r\nLike many ransomware gangs, Prometheus runs like a professional enterprise. It refers to its victims as\r\n“customers,” communicates with them using a customer service ticketing system that warns them when payment\r\ndeadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment\r\ndeadline.\r\n“We are closing the ticket and have started an auction on your data,” the group threatens when victims fail to pay\r\nup. But there’s an out: Victims can click to open a new “ticket” if they’re willing to pay up to stop the auction and\r\nrecover their data.\r\nOnly four victims have paid to date, according to the group’s leak site. It claims that a Peruvian agricultural\r\ncompany, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and\r\nSingapore paid ransoms. However, we’re unable to confirm the ransom amounts.\r\nOne interesting note is that Prometheus claims to be part of the notorious ransomware gang REvil. Unit 42 has\r\nseen no indication that these two ransomware gangs are related in any way. The claim may be an attempt to\r\nexploit REvil’s name to persuade victims to pay up, or it could be a false flag to take attention away from Thanos.\r\nWe’ve compiled this report to shed light into the threat posed by the emergence of new ransomware gangs like\r\nPrometheus, which are able to quickly scale up new operations by embracing the ransomware-as-a-service (RaaS)\r\nmodel, in which they procure ransomware code, infrastructure and access to compromised networks from outside\r\nproviders. The RaaS model has lowered the barrier to entry for ransomware gangs.\r\nFull visualization of the Prometheus techniques observed and the courses of action relevant for response can be\r\nviewed in the Unit 42 ATOM Viewer.\r\nIf you think you may have been impacted, please email unit42-investigations@paloaltonetworks.com or call (855)\r\n875-4631 to get in touch with the Unit 42 Incident Response team.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 1 of 13\n\nPrometheus Ransomware Overview\r\nPrometheus ransomware was first observed in February 2021 and is a new variant of a known strain called\r\nThanos. Thanos ransomware has been advertised for sale on underground forums since at least the first half of\r\n2020, where it has a builder that allows actors to customize a sample with a wide variety of available settings. This\r\nsuggests that different threat actors may have leveraged this builder to create their own variants and brands.\r\nIn this case, we turn our attention to one of those threat actors, Prometheus. While this ransomware gang claims to\r\nbe part of REvil, we haven’t seen any other solid connection between the two groups. REvil operates on an\r\naffiliate-driven RaaS program, but we believe the Prometheus ransomware gang may be acting on their own and\r\nattempting to leverage the infamous REvil name and reputation to improve the chance that victims will pay the\r\ndemanded ransom. This would not be the first time adversaries have used the names of well-known threat groups\r\nto strengthen their credibility.\r\nAt the time of writing, we don’t have information on how Prometheus ransomware is being delivered, but threat\r\nactors are known for buying access to certain networks, brute-forcing credentials or spear phishing for initial\r\naccess.\r\nWhen Prometheus ransomware is executed, it tries to kill several backups and security software-related processes,\r\nsuch as Raccine, a ransomware prevention tool that tries to stop ransomware from deleting shadow copies in\r\nWindows. Here is a sample of its approach:\r\nPrometheus ransomware appends an extension using the following format .[XXX-XXX-XXXX] (Figure 1). We\r\nfound that the extensions are hardcoded into the sample. We believe that the Prometheus ransomware operators\r\ngenerate a unique payload per victim, which is used for their negotiation site to recover files. We obfuscated the\r\nextensions because they could be used to identify the victims on the leak site. Prometheus also adds an\r\nhexadecimal string of GotAllDone at the end of all encrypted files.\r\nFigure 1. Encrypted files after execution.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 2 of 13\n\nAfter the backup and security processes are terminated and encryption is complete, Prometheus ransomware drops\r\ntwo ransom notes: a RESTORE_FILES_INFO.TXT file and a RESTORE_FILES_INFO.TXT.hta file (Figure 2),\r\nboth containing the same information.\r\nFigure 2. RESTORE_FILES_INFO.hta.\r\nThe ransom note also includes instructions for contacting Prometheus ransomware operators to recover files, as\r\nwell as informing the victim that, if the demands are not met, the threat actors will release the data to the public or\r\nsell it to a third party.\r\nSince the extensions are used as a victim identifier, by following the instructions on the ransom note, we were able\r\nto take a look at the negotiation part of their site using the extensions ID to gain access. Interestingly, this group\r\nuses a ticketing system for tracking victims. The tickets include a tracking ID, created date, resolution status and\r\npriority. A victim can even open a ticket with the threat actors to request data recovery – though this will cost you\r\nextra, according to the site (Figure 3).\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 3 of 13\n\nFigure 3. Prometheus reply to a victim ticket.\r\nThe Prometheus ransomware gang tailors their ransom demand depending on the victim organization. From the\r\navailable instances observed, we have seen payments requested as low as $6,000 and as high as $100,000 in\r\nMonero (XMR). This price is doubled if the victims don’t contact the threat actors within the established\r\ntimeframe, which on average is a week. At the time of writing, four victims paid the ransom including a Peru-based agricultural company, a healthcare services provider in Brazil, and two transportation and logistics\r\norganizations – one located in Austria and the other in Singapore.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 4 of 13\n\nFigure 4. Prometheus victim ticket.\r\nLike many current ransomware gangs, this group also created a leak site (a different section of the same website\r\nthat hosts the “ticketing system”) where they name and shame their victims (Figure 5).\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 5 of 13\n\nFigure 5. Prometheus leak site.\r\nThe Prometheus ransomware operators include a status per victim. We found that some of the information posted\r\non the leak site has already been sold to an unknown third party. There are also posts showing that victims within\r\nimpacted industries paid the ransom and their data was removed from the site (Figure 6).\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 6 of 13\n\nFigure 6. Leak site victim status for Prometheus ransomware out of 30 victims.\r\nPrometheus Victimology\r\nAt the time of this writing, the Prometheus leak site hosts 30 victims, impacting multiple industries globally. By\r\ntaking a look at their victims listed, we generated this graph, showing the locations of organizations impacted by\r\nthis ransomware.\r\nFigure 7. Countries impacted by Prometheus ransomware out of 30 victims.\r\nManufacturing was the most impacted industry among the victim organizations we observed, closely followed by\r\nthe transportation and logistics industry.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 7 of 13\n\nFigure 8. Industries impacted by Prometheus ransomware out of 30 victims.\r\nOlder Prometheus Variants\r\nThe first encountered Prometheus sample, first observed in February 2021 (SHA256:\r\n9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184), behaves similarly to the more recent\r\nvariant we are currently tracking. However, it appends the following extension to the encrypted files:\r\n.PROM[prometheushelp@mail[.]ch].\r\nSome of the observed samples, when executed, opened a Windows Command Shell showing the encryption\r\nprogress (Figure 9). The most recent Prometheus samples do not display this information.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 8 of 13\n\nFigure 9. Encryption progress window.\r\nAnother variant (SHA256: 11aebdff8c064c160c2b21f3a844bacaecd581d9dc2e4224d31903d2a56e2dd3)\r\nappended the .XXXXXXXXXX[prometheusdec@yahoo[.]com] extension format to encrypted files where the X\r\nis the victim ID. Like the current variant, it generates two ransom note files. The ransom note includes two ways\r\nto contact the group that are different from those offered by the current variant (Figure 10). Based on the content\r\nand instructions provided by this variant, we believe Prometheus didn’t have a leak site established at the time\r\nthey distributed it.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 9 of 13\n\nFigure 10. RESTORE_FILES_INFO.hta (as sent by an older Prometheus variant).\r\nInstead of directing the victim to the leak site as the current variant does, the older variant of Prometheus instructs\r\nthe victim to go to a Tor site called Sonar, a web-based messaging service, and create an account. After the\r\naccount is created, the ransom note instructs the victim to send a message to the username Prometheus, containing\r\nthe file extension identifier and a link to three encrypted files to provide proof of decryption. The second method\r\nof contact is through email and includes three email addresses for contact, requesting the same information as the\r\nfirst method.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 10 of 13\n\nThis helps us understand how the Prometheus ransomware group originally operated and shows the evolution of\r\ntheir approach to securing payment before deciding to start their own leak site.\r\nConclusion\r\nPrometheus is a new and emerging ransomware gang that uses a personalized variant of Thanos ransomware. The\r\noperators behind this ransomware are actively targeting multiple industries globally. Like many other ransomware\r\ngroups, Prometheus hosts a leak site to create additional pressure and shame victims into paying the ransom.\r\nWhile Prometheus claims to be part of the REvil ransomware gang, during our research, we didn’t find a solid\r\nconnection between the two ransomware groups at the time of writing this report. \r\nIndicators associated with this Threat Assessment are available on GitHub, have been published to the Unit 42\r\nTAXII feed and are viewable via the ATOM Viewer.\r\nPalo Alto Networks customers are protected from this threat by:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for Prometheus/Thanos.\r\nAnti-Ransomware Module to detect Prometheus/Thanos encryption behaviors.\r\nLocal Analysis detection to detect Prometheus/Thanos binaries.\r\nAutoFocus: Tracking related activity using the Thanos tag.\r\nMore information on ransomware can be found in the 2021 Unit 42 Ransomware Threat Report.\r\nIndicators of Compromise\r\n11aebdff8c064c160c2b21f3a844bacaecd581d9dc2e4224d31903d2a56e2dd3\r\n52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3\r\n8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7\r\n9d85a74f073c4403e3a91017b6757e0368139e672498a2f84f5efaad0d1b573b\r\nA0e20c580e8a82f4103af90d290f762bd847fadd4eba1f5cd90e465bb9f810b7\r\n20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5\r\ne1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3\r\nf90d4b7491d9f365748dbc3d2379ab20520421ab57790e9a934bb5cf2ecb2404\r\nA090bb0e9118d7460c448304ccf47333ea64b90576230b8b4b5dee96f702ecf6\r\n9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184\r\n779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with Prometheus and maps them\r\ndirectly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their\r\ndevices are configured correctly.\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 11 of 13\n\nProduct /\r\nService\r\nCourse of Action\r\nPersistence, Privilege Escalation\r\nThe below courses of action mitigate the following techniques:\r\nRegistry Run Keys / Startup Folder [T1547.001]\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nDefense Evasion\r\nThe below courses of action mitigate the following techniques:\r\nDisable or Modify Tools [T1562.001], Modify Registry [T1112]\r\nCortex XDR\r\nLook for the following BIOCs alerts to detect activity: Process attempts to kill a known\r\nsecurity/AV tool\r\nEnable Anti-Malware Protection\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nProcess Discovery [T1057]\r\nCortex XDR\r\nXDR monitors for behavioral events via BIOCs along a causality chain to identify\r\ndiscovery behaviors*\r\nImpact\r\nThe below courses of action mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Inhibit System Recovery [T1490]\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 12 of 13\n\nCortex XSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual for incident response.\r\nDeploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation\r\nCortex XDR\r\nEnable Anti-Malware Protection\r\nLook for the following BIOCs alerts to detect activity*:\r\nCortex XDR Agent - Behavioral Threat Detected\r\nTable 1. Courses of Action for Prometheus ransomware.\r\n* These analytic detectors will trigger automatically for Cortex XDR Pro customers.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nSource: https://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nhttps://unit42.paloaltonetworks.com/prometheus-ransomware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/prometheus-ransomware/"
	],
	"report_names": [
		"prometheus-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434390,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d808196bb111e6c9c5cb91fa8b39744cfb5260b6.pdf",
		"text": "https://archive.orkl.eu/d808196bb111e6c9c5cb91fa8b39744cfb5260b6.txt",
		"img": "https://archive.orkl.eu/d808196bb111e6c9c5cb91fa8b39744cfb5260b6.jpg"
	}
}