[TheRecord] Decryptor released for Prometheus ransomware victims

Taiwanese security firm CyCraft has released a free application that can help victims of the Prometheus ransomware recover and decrypt some of their files.

Available on GitHub, the decryptor effectively works by brute-forcing the encryption key used to lock the victim’s data.

“[The] Prometheus ransomware use Salsa20 with a tickcount-based random password to encrypt [files]. The size of the random password is 32 bytes, and every character is a visible character. Since the password use [the] tickcount as the key, we can guess it brutally,” the company’s experts wrote in a blog post at the start of the month.

The only downside of CyCraft’s decryptor is that it can only handle brute-forcing the decryption key from small files only, Emsisoft, a company known for breaking several ransomware strains, has told The Record.

However, the decryptor’s release appears to have had an impact on the activity of the Prometheus gang.

Released on July 13, this also marked the last date when the Prometheus gang published any content on its dark web leak site. Two and a half weeks later, the Prometheus gang appears to have ceased operations.

Image: The Record

First spotted in February this year, the gang had previously listed more than 40 victims on its leak site. It drew some attention to itself by claiming an association with the more infamous REvil gang, which they removed after the REvil gang’s attack on Kaseya.

In fact, codewise, the two ransomware strains couldn’t have been more different. REvil was an advanced piece of C++ malware, while Prometheus was based on the leaked code of the Thanos ransomware, coded in C#.

Shortly after Prometheus went silent, a new group called Haron, also operating on top of the Thanos codebase, started attacks, leading some experts to believe that Prometheus operators rebranded as Haron.

An Emsisoft spokesperson did not rule out that the company would eventually create a decryptor for Prometheus and the other Thanos strains that could also recover large files. If they do, the app would be made available on the company’s website and the NoMoreRansom portal.

With Thanos-based ransomware strains making new victims on a weekly basis, this might be sooner than later.

Submissions of Thanos ransomware strings to ID-Ransomware

The post Decryptor released for Prometheus ransomware victims appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Port of Houston Target of Suspected Nation-State Hack

All posts, Security Week

A major U.S. port was the target last month of suspected nation-state hackers, according to officials. The Port of Houston, a critical piece of infrastructure along the Gulf Coast, issued a statement Thursday saying it had successfully defended against an attempted hack in August and “no operational data or systems were impacted.” read more Source: […]

Read More

[SecurityWeek] Web Security Provider Jscrambler Raises $15 Million

All posts, Security Week

Client-side web security provider Jscrambler on Thursday announced that a $15 million Series A financing round led by Ace Capital Partners. Existing investors Sonae IM and Portugal Ventures also participated. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[SecurityWeek] Chinese Hackers Started Covering Tracks Days Before Public Exposure of Operations

All posts, Security Week

One of the Chinese threat actors targeting Pulse Secure VPN appliances via a recently disclosed vulnerability has been attempting to cover its tracks by removing its webshells from victim networks, FireEye reports. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.