Two New Ransomware Gangs Prometheus & Grief Enter The Scene

Two New Ransomware Gangs Prometheus & Grief Enter The Scene

Two new ransomware gangs, Prometheus and Grief, have emerged in the multi-billion dollar ransomware market.

Prometheus (Prom), the first ransomware group, has already made a name for itself by publishing stolen data from the Mexican Government arguably becoming the first cybercriminal group that has hit a major state in Latin America.

The data has been stolen from multiple compromised e-mail accounts in ATO/BEC and in compromises of network resources belonging to various Mexican government agencies.

Among the group’s victims are 27 several US and international organizations such as Ghana National Gas, Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and the Tulsa Center of Excellence, and companies like the Hotel Nyack in New York.

The group’s logo suggests a link to the notorious ransomware group REvil. While REVil hasn’t confirmed any relationship with Prometheus, it is possible the group uses REVil’s ransomware as its affiliate.

According to Resecurity, in the past, the group obtained its initial foothold through the use of Sonar, an open-source tool that enables users to transfer data via the Tor network. It then switched to an automated ticket system that enables victims to provide their ID and submit payment in Bitcoin or XMR.

The SQL-injection vulnerability in Prometheus leak site – later fixed – allowed researchers to get an e-mail address of the ransomware operator.

Researchers note that some samples related to the Prometheus campaign are detected by AV engines as Thanos ransomware.

The Prom malware was first discovered by a researcher that goes by the username “xiaopao” from QQhoo 360 cybersecurity firm. It belongs to the Hakbit ransomware group.


Grief is another new ransomware group that claims to have stolen data from several organizations so far, one in Mexico. Researchers say its website has an anti-crawl protection preventing them from indexing the group’s content for research purposes.

Its most recent victims are companies in the USA and Italy, Mobile County and Comune di Porto Sant’Elpidio respectively.

In 2020, the amount of ransom money that was paid globally to attackers increased by over 300 percent compared to the previous year. The biggest number of victims in 2020 were in the construction, manufacturing, and professional services industries. The education and healthcare sectors also experienced significant increases due to the COVID-19 pandemic.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.