From Thanos to Prometheus: When Ransomware Encryption Goes Wrong

 This post was researched by X-Force's Aaron Gdanski who broke Prometheus's encryption. He is set to present this research at the 2022 RSA Conference in San Francisco.

---

IBM Security X-Force researchers have recently reverse-engineered Prometheus ransomware samples as part of ongoing incident response operations. X-Force has found that samples that infected organizational networks featured flawed encryption. This allowed our team to develop a fast-acting decryptor and help customers recover from the attack without a decryption key.

 

While rare, ransomware developers can make mistakes in the ways they implement encryption, causing unintended flaws. This is not the first time X-Force sees faulty encryption mechanisms save the day for victimized organizations. Mistakes can easily occur when malware developers use patchwork code and dabble in cryptography without appropriate expertise.

 

Most organized cybercrime groups do use properly configured encryption, which is almost always impossible to break. That said, the option to examine possibilities can make a difference for victimized organizations and change the course of negotiation and recovery.

 

Thanos Breeds Hakbit, Prometheus, Haron and More Ransomware Trouble

In early 2020, a new ransomware family dubbed “Thanos” was discovered on sale in underground forums mostly frequented by cybercriminals. At the time, Thanos was advertised as a “Ransomware Affiliate Program,” available for anyone to buy. The malware saw regular updates and new features added over time. A closer look at its code revealed that it was also used at the baseline in ransomware samples that were tracked as “Hakbit” and used in additional attacks that targeted organizations in Austria, Switzerland and Germany.

 

Thanos’ developer equipped it with a bootlocker in mid-2020 and was also using a somewhat novel technique of encrypting files known as “RIPlace,” in which they weaponized research into ransomware evasion techniques based on file characteristics.

 

In September 2020, Thanos was detected in attacks on government organizations in MEA. It presented the victims with a black screen that demanded money to unlock files, and while it had a supposed capability to run a destructive attack, that function did not work and left MBR intact.

 

By June 2021, more of Thanos made headlines, only this time as the base code for another ransomware, Prometheus. The latter was used in double-extortion attacks that encrypted files but also stole data and threatened to release it unless a hefty ransom was paid. Prometheus’ operators claimed to be part of the REvil group, they even placed a logo of sorts on their demands for ransom but provided no proof to that effect and may have wanted to use that as a pressure tactic.

Continue reading the technical details here.