{ "id": "1743eb7d-d618-4277-8620-303175ccdc88", "created_at": "2026-04-06T00:19:25.215846Z", "updated_at": "2026-04-10T03:22:07.106651Z", "deleted_at": null, "sha1_hash": "e46d173f7d667855be79877831c1be1dd1070d57", "title": "Decryptor released for Prometheus ransomware victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159613, "plain_text": "Decryptor released for Prometheus ransomware victims\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-04 · Archived: 2026-04-05 17:25:10 UTC\r\nTaiwanese security firm CyCraft has released a free application that can help victims of the Prometheus\r\nransomware recover and decrypt some of their files.\r\nAvailable on GitHub, the decryptor effectively works by brute-forcing the encryption key used to lock the victim's\r\ndata.\r\n\"[The] Prometheus ransomware use Salsa20 with a tickcount-based random password to encrypt [files]. The size\r\nof the random password is 32 bytes, and every character is a visible character. Since the password use [the]\r\ntickcount as the key, we can guess it brutally,\" the company's experts wrote in a blog post at the start of the month.\r\nThe only downside of CyCraft's decryptor is that it can only handle brute-forcing the decryption key from small\r\nfiles only, Emsisoft, a company known for breaking several ransomware strains, has told The Record.\r\nHowever, the decryptor's release appears to have had an impact on the activity of the Prometheus gang.\r\nReleased on July 13, this also marked the last date when the Prometheus gang published any content on its dark\r\nweb leak site. Two and a half weeks later, the Prometheus gang appears to have ceased operations.\r\nFirst spotted in February this year, the gang had previously listed more than 40 victims on its leak site. It drew\r\nsome attention to itself by claiming an association with the more infamous REvil gang, which they removed after\r\nthe REvil gang's attack on Kaseya.\r\nhttps://therecord.media/decryptor-released-for-prometheus-ransomware-victims/\r\nPage 1 of 3\n\nIn fact, codewise, the two ransomware strains couldn't have been more different. REvil was an advanced piece of\r\nC++ malware, while Prometheus was based on the leaked code of the Thanos ransomware, coded in C#.\r\nShortly after Prometheus went silent, a new group called Haron, also operating on top of the Thanos codebase,\r\nstarted attacks, leading some experts to believe that Prometheus operators rebranded as Haron.\r\nAn Emsisoft spokesperson did not rule out that the company would eventually create a decryptor for Prometheus\r\nand the other Thanos strains that could also recover large files. If they do, the app would be made available on the\r\ncompany's website and the NoMoreRansom portal.\r\nWith Thanos-based ransomware strains making new victims on a weekly basis, this might be sooner than later.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/decryptor-released-for-prometheus-ransomware-victims/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/\r\nhttps://therecord.media/decryptor-released-for-prometheus-ransomware-victims/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/" ], "report_names": [ "decryptor-released-for-prometheus-ransomware-victims" ], "threat_actors": [], "ts_created_at": 1775434765, "ts_updated_at": 1775791327, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e46d173f7d667855be79877831c1be1dd1070d57.pdf", "text": "https://archive.orkl.eu/e46d173f7d667855be79877831c1be1dd1070d57.txt", "img": "https://archive.orkl.eu/e46d173f7d667855be79877831c1be1dd1070d57.jpg" } }