Caleb Boma | June 1st, 2021

Prometheus is a new player among the ransomware threat landscape who claims to have ties to the REvil ransomware group. After publishing leaked data from the Mexican Government, the group is making a grand entrance as a ransomware threat.

According to a Los Angeles security firm, the data was likely stolen from email accounts due to business email compromise (BEC) and the compromise of network resources belonging to several Mexican government agencies. The Prometheus group has already published data from 27 different victims. Those include Ghana National Gas, Tulsa Cardiovascular Center of Excellence, Hotel Nyack, and enterprises in several other countries.

The logo on their leak site reads “Prometheus, Group of REvil” which may be true, but could also be an attempt to associate their name with the prominent threat group in order to gain some attention.

In the beginning stages of their attacks, they leverage the secure data transfer tool deployed in Tor network providing API, Sonar. What’s unusual about the Prometheus ransomware activity is it’s detected as Thanos ransomware on most antivirus engines.

Grief ransomware has stolen data from 5 organizations, 1 in Mexico. SpearTip’s engineers regularly scan dark web sites in order to confirm legitimacy of the threat actors and threat groups, but also to conduct further investigation as to what data was stolen from victims. What the Grief ransomware operators have done with their dark website is utilize an anti-crawl protection so that indexing can’t be done automatically.

At the top of their site, they list a GDPR regulation in efforts to coerce a quicker payment, “The GDPR at Article 33 requires that, in the event of a personal data breach, data controllers should notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

A few recent victims are Mobile County, Alabama, and Comune di Porto Sant’Elpidio.

SpearTip’s engineers are actively responding to threats at every moment of the day. They’re even working as you’re reading this. This around the clock dedication to protecting partners is what makes our services hold so much value.

As new actors arise almost daily in the threat landscape, it’s vital to incorporate cybersecurity into your organization’s investments. Not only will you have a group of highly technical engineers continuously monitoring your networks, but you won’t ever have to worry about the constant threats looking to take your company’s hard-earned profit.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.