Prometey Ransomware

The Prometey Ransomware is a new malware threat that gots public attention in the cybersecurity world since the beginning of October 2019. It exhibits the classic capabilities and features of a ransomware infection by encrypting files on victims’ computers through the AES encryption algorithm and demanding the payment of a ransom in exchange for a decryption key. The encrypted files include images, video and audio files, text documents, backups and banking data.

The Ransom Note

A text file whose name consists of a victim-specific ID , followed by “-help.txt,” contains the ransom note, and explains that the victim’s data has been locked. The attackers also threaten to delete the affected files if the user reloads the operating system or tries to remove Prometey from the computer. The purchase of the decryptor is supposed to be conducted over the Tor browser, while the payment is required in Bitcoins.

How the Prometey Ransomware is Disseminated

The Prometey Ransomware distribution channels include unprotected RDP protocols, spam e-mail campaigns, infected attachments, corrupted links on the Internet, fake software updates and many others. The ransomware secures its persistence by adding its own entries in the Windows Registry and creating compromised processes in the operating system. Some researchers claim that Prometey resembles AnteFrigus Ransomware in the way the ransom note is written, as well as in that it adds random extensions to the locked files.

Also, when used incorrupted ad campaigns, the Prometey Ransomware redirects the users to the RIG Exploit Kit. The Prometey Ransomware also can be programmed to erase the Windows Shadow Volume Copies, and the decryption key is saved on a remote server controlled by the attackers, so the removal of this infection and the data recovery should be performed only by experienced PC users, or through an automated removal tool.