Cybersecurity firm CyCraft has created a free program. that can assist victims of the Prometheus ransomware in recovering and decrypting some of their files.
The decryptor, which is available on GitHub, works by brute-forcing the encryption key that was used to lock the victim’s information.
In order to encrypt [files], Prometheus ransomware uses Salsa20 and a tick count-based random password. The random password has a size of 32 bytes, and every character is visible. A corporate expert stated in a blog post at the beginning of the month that “because [the] tick count is used as the key, it’s easy to predict.”
Emsisoft, a firm recognized for cracking numerous ransomware strains, informed The Record that CyCraft’s decryptor can only brute-force the decryption key from tiny files.
Prometheus’s activities appear to have been affected by the decryptor’s publication.
This was also the final time the Prometheus group published anything on their dark web leak site since it was released on July 13. Two and a half weeks later, it appears that the Prometheus gang has halted its activities.
On its leak site, the group had previously identified more than 40 victims. When the REvil gang attacked Kaseya, it claimed to be affiliated with the more notorious REvil gang, which they later deleted.
They couldn’t have been more different from a coding perspective. In contrast, PROMETHEUS was built on the Thanos ransomware, which was developed in C#.
Soon after Prometheus fell silent, a new organization named Haron began attacking the top of the Thanos codebase, prompting some experts to think that Prometheus operators rebranded as Haron after going silent.
Prometheus and the other Thanos strains might be decrypted by Emsisoft at some point, according to a company representative. NoMoreRansom portal and the company’s website would be made available if they approved the app.
A ransomware outbreak named “Thanos” makes new victims every week, so this might happen sooner rather than later.