Cyber Threat Actor: Prometheus
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
2 incidents |
|---|
Profile
Prometheusis a ransomware group that operates under the alias Prometheus and is based in Russia. The group has publicly affiliated itself with the REvil ransomware operation, indicating a criminal consortium relationship rather than a state sponsor. Its known activities have focused on the manufacturing sector, as evidenced by an attack on a manufacturing organization in June 2021. The strategic objective of these operations appears to be financial gain through the deployment of ransomware that encrypts victim data and demands payment for decryption. No public reporting links the group to espionage or disruptive goals beyond the financial motive inherent in ransomware campaigns. The group's location and affiliation are the only geographic and organizational details explicitly provided in the source material. A blog hosted by the group was discovered on the darkweb by the Cyble Research team and described in an article published on June 5 2021.
In the June 2021 incident, Prometheus deployed a ransomware variant named Thanos, which is a 32‑bit .NET executable featuring obfuscated code and base64‑encoded strings. The malware terminates processes such as excel.exe and steam.exe, stops and starts services, modifies firewall rules, and employs AES encryption to lock files. After encryption, Thanos drops ransom notes in both HTA and plain‑text formats, a tactic observed in the analyzed sample. The attack also included plaintext strings that confirm the ransomware’s functionality and demonstrate deliberate service interruptions intended to increase pressure on the victim prior to encryption. Analysis of the sample yielded specific SHA256 hash indicators of compromise that were listed in the reporting. The associated article also provided best‑practice recommendations for mitigating ransomware attacks. No details about initial access vectors, such as phishing or exploit kits, are mentioned in the available reports. The described TTPs represent the only confirmed technical behaviors attributed to Prometheus in the provided context.
