article featured image


Prometheus ransomware uses the branding of REvil in an attempt to piggyback on the fame of one of the most successful ransomware groups ever.

An emerging ransomware operation might be linked to the veteran cyber-criminal group while also attempting to piggyback on the reputation of one of the most notorious forms of ransomware.

More About the Prometheus Ransomware

Prometheus ransomware first appeared in February. The criminals behind it encrypt networks and demand a ransom for the decryption key while also using double extortion tactics in order to be able to threaten to leak stolen data if their demands for cryptocurrency aren’t met.

Just like many ransomware operations from 2021, the group is functioning just like a professional enterprise, referring to the victims of its cyberattacks as “customers” and maintaining communication with them through a ticketing system.

The cyber actors that are behind Prometheus claimed to have hit over 30 victims around the world so far, including organizations from North America, Europe, and Asia, like governments, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy, and law.

Victims Are Willing to Pay the Ransom

However, it looks like only four victims have paid to date, according to the group’s leak website.

On the website, Prometheus claims that a Peruvian agricultural company, a Brazilian healthcare services provider, and transportation and logistics organizations in Austria and Singapore paid the ransoms.

An interesting trait that Prometheus has is the use of the branding of REvil’ on the ransom note and across its communication platforms, but despite the use of REvil’s name, it does not look like any link exists between the two operations, therefore it’s likely that Prometheus is attempting to use the name of the more established cybercriminal operation in order to increase its chance of receiving a ransom payment.

Since there is no solid connection other than the reference of the name, our running theory is that they are leveraging the REvil name to increase their chances of securing payment. If you search for REvil, the headlines are going to speak for themselves versus searching Prometheus ransomware where probably nothing major would’ve come up.


After managing to compromise the victims with ransomware, Prometheus is making the ransom requests in a bespoke manner, depending on the target, with the demands ranging from $6,000 to $100,000. The ransom is usually demanded in Monero probably because Monero transactions are more difficult to track than Bitcoin.

At this moment it’s believed that the group is active and will remain active as long as its attacks keep being profitable.

As long as Prometheus keeps targeting vulnerable organizations, it will keep running campaigns.

Going forward we would expect this group to keep adding victims to their leak site, and change their techniques as needed.


Looking into the way in which Prometheus and other ransomware groups rely on breaching user accounts in order to embed themselves on networks, the use of multi-factor authentication remains one of the most efficient ways to keep your organization safe, as deploying it to all users adds another barrier to attacks, therefore making it harder for cybercriminals to exploit stolen credentials.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Network DNS Security

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *