Mysterious Prestige ransomware targets organizations in Ukraine and Poland

Microsoft warns that new Prestige ransomware is targeting transportation and logistics organizations in Ukraine and Poland.

Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.

The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims.

A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises.

Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.

The campaign shares victimology with recent operations conducted by Russia-linked threat actors.

“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)” reads the report published by Microsoft Threat Intelligence Center (MSTIC).

HermeticWiper is destructive wiper that was discovered in February by researchers from cybersecurity firms ESET and Broadcom’s Symantec. The malicious code was employed in attacks that hit hundreds of machines in Ukraine.

Microsoft noticed that this campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that hit several critical infrastructure organizations in Ukraine over the last two weeks.

MSTIC has not yet attributed the attacks to a known threat group, meantime, it is tracking the campaign as DEV-0960.

Before deploying ransomware in the target networks, the threat actors were observed using the following two remote execution utilities:

RemoteExec – a commercially available tool for agentless remote code execution
Impacket WMIexec – an open-source script-based solution for remote code execution

Then DEV-0960 used the following tools in some attacks to access to highly privileged credentials:

winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials

“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment.” continues the report. “Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise.”

MSTIC researchers observed the threat actors using three methods to deploy the Prestige ransomware:

Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object

Once deployed, the Prestige ransomware drops a ransom note named “README.txt” in the root directory of each drive it encrypts.

Prestige uses the CryptoPP C++ library to AES-encrypt each eligible file, to prevent data recovery the ransomware deletes the backup catalog from the system.

Microsoft published a list of indicators of compromise (IOCs) and advanced hunting queries detect Prestige ransomware infections.

“Microsoft will continue to monitor DEV-0960 activity and implement protections for our customers.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-0960)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.