The Prestige: Ukraine and Poland hit by novel ransomware


Previously unknown Prestige ransomware has been observed targeting Ukraine’s and Poland's transportation and logistics industries.

The new ransomware, labeling itself as the "Prestige ranusomeware," was deployed on October 11 in attacks occurring within an hour of each other across all victims, the Microsoft Threat Intelligence Center (MSTIC) said.

The company hadn't observed the Prestige ransomware before this deployment and said it was not connected to any of the 94 active ransom groups currently tracked by Microsoft. It also noted that the enterprise-wide deployment of ransomware is not common in Ukraine.

"The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," MSTIC said.

Tracked as DEV-0960, the activity has not yet been linked to any known threat group.

MSTIC observed threat actors gaining highly-privileged credentials like Domain Admin to execute the ransomware payload.

"Initial access vector has not been identified at this time, but in some instances, it's possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise," Microsoft said.

Researchers detailed three methods of the Prestige ransomware deployment:

1. The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket [an open-source script-based solution for remote code execution] is used to remotely create a Windows Scheduled Task on target systems to execute the payload.

MethodNr1

2. The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload.

MethodNr2

3. The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.

MethodNr3

In a ransom note dropped on the compromised machine, threat actors require victims to purchase their decryption software and ask to contact the attackers via a given email.

As the threat landscape in Ukraine continues to evolve, Microsoft urges organizations to build more robust defenses.

"Ransomware and wiper attacks rely on many of the same security weaknesses to succeed," the company said.