Emerging ‘Prometheus’ ransomware claims 30 victims in a dozen countries, Palo Alto Networks says

Manufacturing was its most targeted industry.
(Getty Images)

A new ransomware group claims to have breached 30 organizations in government, financial services, health care services, and energy firms in the United States, United Kingdom, and a dozen more countries, according to Palo Alto Networks research published Wednesday.

The group, which Palo Alto researchers have dubbed “Prometheus,” most frequently targets the manufacturing industry. The activity comes amid ongoing concern about the effect of ransomware on national security and global supply chains after incidents at Colonial Pipeline and the meat-processing corporation JBS.

“The Prometheus ransomware gang has the potential to target organizations that would lead to national concerns,” Doel Santos, threat intelligence analyst at Palo Alto Networks’ Unit 42, wrote in an email. “These threat actors are opportunistic. They are willing to target any organization.”

The group has also targeted victims in manufacturing, logistics, consulting, agriculture, insurance, and legal industries.


Prometheus claims to be affiliated with REvil, a Russia-based hacking group the FBI blamed for an attack on the global meat supplier JBS. Researchers found no evidence tying the two groups together nor could it confirm any of the group’s victims.

Santos described the Prometheus group as “ruthless.” The group’s site hosts leaked databases, emails, invoices, and documents that include personally identifiable information purportedly belonging to victims’ who failed to pay an extortion fee within a prescribed amount of time.

The group appears to be using malware similar to that used by ransomware group Thanos. The group’s emergence highlights the rapid growth of ransomware gangs thanks to the rise of ransomware-as-a-service in which other groups rent out their code and infrastructure for use.

Modern ransomware enterprises typically function as part of a larger affiliate market. One group may specialize in developing malicious software, for instance, then lease access to that tool to a partner organization in exchange for a cut of the profit from any data breaches. The Egregor, Thanos and Conti ransomware strains are known to operate in this fashion, among others, according to specialists from the threat intelligence firms Intel 471 and Trend Micro.

The growing number of groups has made it difficult for law enforcement to stay on top of the problem. FBI Director Christopher Wray recently told the Wall Street Journal that the agency has investigated 100 different types of ransomware.


In April, the security vendor Cybereason detailed a botnet called “Prometei,” which hackers appear to leverage for cryptomining and other financial scams. “Prometei” is the Russian translation for Prometheus, though it remains unclear if there is a connection between the two hacking tools.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts