Pierluigi Paganini
October 16, 2022
Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.
Microsoft has identified a new ransomware strain "Prestige" in limited targeted attacks in Ukraine and Poland. Several notable features differentiate this ransomware from other campaigns and payloads tracked by MSTIC. Get TTPs and protection info: https://t.co/4E3gaj1K7b
— Microsoft Threat Intelligence (@MsftSecIntel) October 14, 2022
The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims.
A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises.
Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.
The campaign shares victimology with recent operations conducted by Russia-linked threat actors.
“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)” reads the report published by Microsoft Threat Intelligence Center (MSTIC).
HermeticWiper is destructive wiper that was discovered in February by researchers from cybersecurity firms ESET and Broadcom’s Symantec. The malicious code was employed in attacks that hit hundreds of machines in Ukraine.
Microsoft noticed that this campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that hit several critical infrastructure organizations in Ukraine over the last two weeks.
MSTIC has not yet attributed the attacks to a known threat group, meantime, it is tracking the campaign as DEV-0960.
Before deploying ransomware in the target networks, the threat actors were observed using the following two remote execution utilities:
Then DEV-0960 used the following tools in some attacks to access to highly privileged credentials:
“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment.” continues the report. “Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise.”
MSTIC researchers observed the threat actors using three methods to deploy the Prestige ransomware:
Once deployed, the Prestige ransomware drops a ransom note named “README.txt” in the root directory of each drive it encrypts.
Prestige uses the CryptoPP C++ library to AES-encrypt each eligible file, to prevent data recovery the ransomware deletes the backup catalog from the system.
Microsoft published a list of indicators of compromise (IOCs) and advanced hunting queries detect Prestige ransomware infections.
“Microsoft will continue to monitor DEV-0960 activity and implement protections for our customers.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, DEV-0960)
[adrotate banner=”5″]
[adrotate banner=”13″]
