Cyber Incident Victim: A-1 Machine Manufacturing

On or around June 2, 2021, the Prometheus ransomware group reemerged as an active threat actor, publicly announcing its return through a dark web blog monitored by Cyble Research during routine threat hunting operations. The group declared affiliation with the REvil ransomware operation, signaling collaborative capabilities. Prometheus deployed Thanos ransomware, a 32-bit .NET executable with obfuscated code designed to evade initial detection. Analysis of the malware revealed base64-encoded strings alongside plaintext strings used to validate ransomware execution conditions. Upon activation, Thanos systematically disrupted victim environments by terminating critical processes—including excel.exe and steam.exe—stopping essential services, and modifying firewall rules to facilitate unimpeded malicious activity. The ransomware then executed its primary encryption routine using AES algorithms to lock files across compromised systems.

Following encryption, Thanos dropped ransom notes in both HTA and text formats to pressure victims into payment negotiations. Cyble identified and published Indicators of Compromise (IoCs), including SHA-256 hashes specific to the malware sample, to enable network defenders to detect related activity. The incident demonstrated Prometheus’s operational maturity through its use of code obfuscation, anti-analysis techniques, and integration of multiple persistence mechanisms. No specific victim impact metrics—such as downtime duration, data exfiltration volume, or financial losses—were disclosed in the analyzed source material. Similarly, no containment measures or remediation actions taken by affected organizations were detailed beyond the external identification of IoCs and technical dissection of the ransomware’s behavior by cybersecurity researchers.