CyCraft, a Taiwanese cybersecurity company, has released a free decryptor to help victims of the ransomware known as Prometheus recover and decrypt their files.
It is available on GitHub and can effectively break by brute force the Salsa20 encryption key and a password that were used to lock the data.
“[The] Prometheus ransomware use Salsa20 with a tickcount-based random password to encrypt [files]. The size of the random password is 32 bytes, and every character is a visible character. Since the password use [the] tickcount as the key, we can guess it brutally,” CyCraft researchers wrote in a recent blog post.
According to Emsisoft, the only downside of CyCraft’s decryptor is that it can only brute-force keys for small files.
However, the release of the decryptor has had an impact on the activity level of the Prometheus gang.
The last date that the Prometheus gang published anything on its dark web site was July 13, 2018, which is the release date of the decryptor. And two weeks later, Prometheus has shut down its operations.
This group, which was first spotted in February, had been rather prolific and claimed to have encrypted over 40 victims. It also claimed to be associated with the REvil gang, which was responsible for the highly publicized attack on Kaseya.
The two strains are, however, very different. REvil was a C++-based malware, while Prometheus was coded in C# and based on a leaked code from Thanos.
After Prometheus disappeared from the horizon, a group called Haron emerged instead, leading many to believe that this group was a rebranded Prometheus.
An Emsisoft spokesperson stated that the company could still develop a decryptor that would allow users to recover large files.
With new victims of Thanos-based ransomware appearing on a weekly basis, this had better happen sooner than later.
Image: secindgroup.com
