Mysterious Prestige ransomware targets organizations in Ukraine and Poland

Pierluigi Paganini October 16, 2022

Microsoft warns that new Prestige ransomware is targeting transportation and logistics organizations in Ukraine and Poland.

Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.

The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims.

A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises.

Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.

The campaign shares victimology with recent operations conducted by Russia-linked threat actors.

“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)” reads the report published by Microsoft Threat Intelligence Center (MSTIC).

HermeticWiper is destructive wiper that was discovered in February by researchers from cybersecurity firms ESET and Broadcom’s Symantec. The malicious code was employed in attacks that hit hundreds of machines in Ukraine.

Microsoft noticed that this campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that hit several critical infrastructure organizations in Ukraine over the last two weeks.

MSTIC has not yet attributed the attacks to a known threat group, meantime, it is tracking the campaign as DEV-0960.

Before deploying ransomware in the target networks, the threat actors were observed using the following two remote execution utilities:

  • RemoteExec – a commercially available tool for agentless remote code execution
  • Impacket WMIexec – an open-source script-based solution for remote code execution

Then DEV-0960 used the following tools in some attacks to access to highly privileged credentials:

  • winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
  • comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
  • ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials

“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment.” continues the report. “Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise.”

MSTIC researchers observed the threat actors using three methods to deploy the Prestige ransomware:

  • Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
  • Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
  • Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object
prestige ransomware ALL

Once deployed, the Prestige ransomware drops a ransom note named “README.txt” in the root directory of each drive it encrypts.

Prestige uses the CryptoPP C++ library to AES-encrypt each eligible file, to prevent data recovery the ransomware deletes the backup catalog from the system.

Microsoft published a list of indicators of compromise (IOCs) and advanced hunting queries detect Prestige ransomware infections.

“Microsoft will continue to monitor DEV-0960 activity and implement protections for our customers.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-0960)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment