- Home
- Detectable Ransomware
- Prometheus
Ransomware Research
Prometheus Ransomware
Prometheus is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2021, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: GotAllDone.
Quick Facts
- Ransomware Family
- Prometheus
- First Seen
- March 1, 2021
- Known Aliases
- GotAllDone
How Prometheus Ransomware Works
File Encryption Patterns
Prometheus modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
./\.\[[A-Z0-9]{3}-[A-Z0-9]{3}-[A-Z0-9]{4}\]/
..CGP
..chaddad
..boooom
..PUUEQS8AEJ
..ltnuhr
..steriok
..unlock
..ZZZZZZZZZZ
..MATILAN
..ZORN
..PARKER
..axxes
..private
..trins
..cmblabs
..harditem
..pex8tm
..y9sx7x
.[prometheusdec@yahoo.com]
Ransom Note and Payment Demands
After encrypting files, Prometheus displays ransom notes demanding payment for file recovery:
RESTORE_FILES_INFO.txt
Ransom message:
notes/RESTORE_FILES_INFO.txt
Note locations:
Desktop
RESTORE_FILES_INFO.hta
Ransom message:
notes/RESTORE_FILES_INFO.hta
Note locations:
Desktop
How_To_Recover_My_Files.hta
Ransom message:
notes/How_To_Recover_My_Files.hta
Note locations:
Desktop
How_To_Recover_My_Files.txt
Ransom message:
notes/How_To_Recover_My_Files.txt
Note locations:
Desktop
UNLOCK_FILES_INFO.txt
Здравствуй Русский Мир.txt
Инструкция.txt
RECOVERY.txt
Ransom message:
notes/RECOVERY.txt
Note locations:
UserFolders
decrypt_info.txt
Ransom message:
notes/decrypt_info.txt
Note locations:
EveryFolder
DECRYPT_INFO.hta
Ransom message:
notes/DECRYPT_INFO.hta
Note locations:
Desktop
Technical Indicators
Associated Executable Files
The following executable files are associated with Prometheus ransomware:
h6fhhMtoyZ
gVcWDWENI8
Svchost.exe
Worker-0.exe
1svhost.exe
steriok.xxx
Svchost.bin
xXfwVJuA6l
RICcC3qIRA
14cqt0ps.exe
028726.exe
Trins.exe
RBCfWIhtoMywwLC
db.exe
56nXele4hbPS
cgpshare.exe
chaddad.exe
Garb1.exe
Client-0.exe
Elastio Can Help You
Don't let Prometheus ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Prometheus ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Prometheus.
Last updated: July 30, 2025