This year, CyCraft has been involved in several cases of Prometheus attacks. Naturally, we attempted to reverse-engineer Prometheus to gain a better understanding of the attack itself, the malware, and the attacker. We discovered that it was possible to recover our customers’ encrypted files to some degree. We are sharing this internally developed tool to help other victims recover.
Visit Our GitHub | https://github.com/cycraft-corp/Prometheus-Decryptor
Direct Download | https://github.com/cycraft-corp/Prometheus-Decryptor/releases/download/1.2/prometheus_decryptor.zip
We provided a GUI version for windows users. All features are supported in the GUI version. If your programming skills aren’t developed to a mature level, please follow the steps below to decrypt your files:
The emerging ransomware group Prometheus made headlines last month with Unit42’s report. According to the report, which had observed Prometheus for 4 months, victims of the emerging ransomware group total more than 30 in multiple different countries, including the United States, the UK, and a dozen more countries in Asia, Europe, the Middle East, and South America.
Organizations targeted for attack by Prometheus included government agencies, financial services, manufacturing, logistics, agriculture, healthcare services, insurance agencies, energy, consulting, law firms, and more.
Although Prometheus claimed to be affiliated with REvil (the Russia-based ransomware group attributed to the attack on global meat supplier JBS that succeeded in acquiring an 11 million USD ransom, Prometheus’s code and behavior are more similar to Thanos.
First observed in 2020, Thanos gained notoriety for its 43 different configuration options as well as being the first ransomware to utilize the evasion technique know as RIPlace.
RIPlace was introduced via a POC exploit in November 2019. Initially, RIPlace could bypass several ransomware defense mechanisms, including AV and certain EDR solutions. It wasn’t until a few months later that RIPlace was seen in the wild.
Like other ransomware on the ransomware-as-a-service (RaaS) market, Thanos ransomware does appear to have code overlaps with other ransomware, notably Hakbit; however, just like other ransomware, Thanos does come with customization options and appears to still be under active development.
make win32 # windows 32 bits
make win64 # windows 64 bits
make linux # linux
make win32GUI # windows 32 bits GUI (built on windows)
make win64GUI # windows 64 bits GUI (build on windows)
Usage of ./bin/prometheus_decrypt:
-b string
Custom search with byte value. (i.e. \xde\xad\xbe\xef -> deadbeef)
Please use ?? to match any byte (i.e. de??beef)
-c Use current tickcount. (only support in Windows)
-e string
Search file extension.
-f int
Found candidate. (default 1)
-i string
Input encrypted file.
-k string
Decrypt with this key.
-m int
Move backward m minutes from the current decrypted seed when guessing the next sample. (default 30)
-o string
Output decrypted file.
-p int
Use n thread. (default 1)
-r Reversed tickcount.
-s string
Custom search with regular expression.
-t int
Start tickcount.
Brute force the random seed of a png image from tickcount 0.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -e png -p 16
In this command, there are 4 arguments:
Brute force the random seed of a png image from tickcount 100000 in reversed order.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -e png -p 16 -t 100000 -r
There are 2 additional arguments:
Brute force the random seed of a png image from the current tickcount in reversed order. This feature is usually used in reversed order.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -e png -p 16 -c -r
There is an additional argument:
Decrypt (Encrypt) a file with a provided key.
./prometheus_decrypt -i ./sample/CyCraft.png.PROM\[prometheushelp@mail.ch\] -o ./output/CyCraft.png -k "+@[%T-mZSh+E[^^i{W:dpwnhdL4<b8D4}]]"
There is an additional argument:
Brute force the random seed of a text file with a known string “we had another great”.
./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"
There is an additional argument:
Brute force the random seed of a png file with its header in hex.
./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -b '89??4e??0d??1a0a??00'
There is an additional argument:
Custom search with bytes pattern is much more convenient than regular expression since there are lots of file format that it can’t be performed by visible characters.
Brute force the random seed of a png file with its header in hex.
./prometheus_decrypt -i ./sample -o ./output -p 16 -m 1 -f 2
There are two additional arguments:
seed-m*60*1000
as the start tickcount.Since there are lots of files to decrypt, you can press Ctrl-c to skip the current guessing file.
Since we match the file with magic number, it might be matched even if a wrong key is provided. Therefore, we keep the decryption process continued to guess. You can terminate it anytime if you find the correct decrypted file.
% ./prometheus_decrypt -i ./sample/test.txt.enc -o ./output/test.txt -p 16 -s "we had another great"
Decrypt file with seed 615750, key: +@[%T-mZSh+E[^^i{W:dpwnhdL4<b8D4, path: ./output/615750_test.txt
2795306...
We match the magic number with https://github.com/h2non/filetype. Here is the file type we currently support:
Image
image/jpeg
image/png
image/gif
image/webp
image/x-canon-cr2
image/tiff
image/bmp
image/heif
image/vnd.ms-photo
image/vnd.adobe.photoshop
image/vnd.microsoft.icon
image/vnd.dwg
video/mp4
video/x-m4v
video/x-matroska
video/webm
video/quicktime
video/x-msvideo
video/x-ms-wmv
video/mpeg
video/x-flv
video/3gpp
audio/midi
audio/mpeg
audio/m4a
audio/ogg
audio/x-flac
audio/x-wav
audio/amr
audio/aac
application/epub+zip
application/zip
application/x-tar
application/vnd.rar
application/gzip
application/x-bzip2
application/x-7z-compressed
application/x-xz
application/zstd
application/pdf
application/vnd.microsoft.portable-executable
application/x-shockwave-flash
application/rtf
application/x-iso9660-image
application/octet-stream
application/postscript
application/vnd.sqlite3
application/x-nintendo-nes-rom
application/x-google-chrome-extension
application/vnd.ms-cab-compressed
application/vnd.debian.binary-package
application/x-unix-archive
application/x-compress
application/x-lzip
application/x-rpm
application/x-executable
application/dicom
application/msword
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.ms-excel
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.ms-powerpoint
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/font-woff
application/font-woff
application/font-sfnt
application/font-sfnt
application/wasm
application/vnd.android.dex
application/vnd.android.dey
Prometheus ransomware uses salsa20 with a tickcount-based random password for encryption. The size of the random password is 32 bytes, and every character is a visible character. Since the password uses tickcount as the key, we can guess it brutally.
Visit Our GitHub | https://github.com/cycraft-corp/Prometheus-Decryptor
Direct Download |https://github.com/cycraft-corp/Prometheus-Decryptor/releases/download/1.2/prometheus_decryptor.zip
Writer: CyCraft
CyCraft(サイクラフト)は、AIによる自動化技術を専門とするサイバーセキュリティ企業。2017年に設立され、台湾に本社、日本とシンガポールに海外拠点を持つ。アジア太平洋地域の政府機関、警察・防衛機関、銀行、ハイテク製造業にサービスを提供している。CyCraft の AI技術 と機械学習技術によるソリューションが評価され、CID グループ とテマセク・ホールディングス旗下のパビリオンキャピタルから強力なサポートを獲得し、また、国際的トップ研究機構である Gartner、 IDC、Frost & Sullivan などから複数の項目において評価を受けている他、国内外の著名な賞をいくつも受賞している。また、国内外を含む複数のセキュリティコミュニティ、カンファレンスに参画し、長年にわたりセキュリティ業界の発展に尽力している。