INTRODUCTION
Prometheus, a rising ransomware group, recently was involved in stealing data belonging to the Mexican Government. The data is still currently available for sale.
As reported by Resecurity, a cybersecurity firm located in Los Angeles, the attack was formulated by exploiting network resources related to Mexican Government agencies and is one of the first attacks of this scale that targeted Latin America.
Details
As a way to flaunt their “Resume,” the cybersecurity group also published data of 27 different victims which included countries as well as organizations.
The group employed Sonar, a data transfer tool deployed in Tor network but changed to an automatic ticket-based system shortly after. This facilitated the group by allowing the victim to pay in cryptocurrency, specifically BTC or XMR, to advance the automated decryption process.
Failure of payment resulted in data being sold to interested parties: an unfortunate event experienced by about 50% of Prometheus’ victims who did not pay.
However, the email address of Prometheus was visible for a while (before getting patched), courtesy of a SQL-Injection vulnerability in the threat actors’ leak site in TOR.
Anti-Virus engines have detected the malicious activity related to Prometheus as Thanos ransomware. Developed by Nosophoros, this ransomware is actually sold in multiple Dark Web communities. The same developer was also involved in advertising Jigsaw ransomware and other illicit activities including selling of malicious VPN access to numerous networks.
Prometheus also published a new logo consisting of a text implying ties with another ransomware group called REVil. REVil however, has not validated any direct ties with Prometheus, leaving it a mystery as to how closely the two groups are working, if at all.
Earlier, a ransomware group called Grief also breached an organization in Mexico and used a rather cunning strategy for extortion by referencing specific GDPR regulations on their home page.
As data is becoming a key resource for companies and organizations in moving forward, threat actors are getting more creative in their ways to breach confidential information with potentially devastating consequences. According to a statistic, 2020 saw a staggering 300% increase in the amount paid as ransom to attackers, with the most frequent victims being manufacturing, education, and construction companies. Healthcare industries also saw a significant increase in attacks amidst the Covid-19 pandemic.
