Skip links

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland



Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.

This new ransomware was first used in the wild on October 11, in attacks detected within an hour of each other.

Attackers were seen deploying the ransomware payloads across their victims’ enterprise networks, a tactic very rarely seen in attacks targeting Ukrainian organizations.

“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper),” the Microsoft Threat Intelligence Center (MSTIC) said.

HermeticWiper is destructive malware known as a wiper that was first seen deployed against Ukrainian organizations right before the start of the invasion of Ukraine.

“This activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment,” MSTIC added.

At the moment, Microsoft is yet to link the Prestige ransomware attacks to a specific threat actor and is temporarily tracking this activity cluster as DEV-0960.

Redmond is working on notifying all customers who have been compromised and had their systems encrypted with this ransomware. 

Multiple ransomware deployment methods

The threat group behind these ransomware attacks uses several methods to deploy the payloads across the victims’ networks, even though this technique switch is not necessarily prompted by security measures taken by defenders to block them.

In the report, MSTIC highlights the following three methods used for Prestige ransomware deployment:

Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object

Once deployed, Prestige ransomware payloads will drop ransom notes named “README.txt” in the root directory of each drive it encrypts.

Prestige ransom note (Microsoft)

It encrypts files based on extensions matching a predefined list and adds the .enc extension at the end of the files’ names after encryption.

It uses the CryptoPP C++ library to AES-encrypt each matching file on compromised systems, and it will delete the backup catalog and all volume shadow copies to hinder recovery efforts.

Microsoft shared a list of indicators of compromise (IOCs) and advanced hunting queries to help defenders detect and mitigate Prestige ransomware attacks.

Adblock test (Why?)