SOC Incident Toolkit
Back to Campaigns
Prestige Ransomware: Targeting Ukraine & Poland

Prestige Ransomware: Targeting Ukraine & Poland

Prestige RansomwareRansomware

A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige. "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said.

Notes

<h5>Recommended Customer Actions</h5><ul><li>Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket.</li><li>Enable Tamper protection to prevent attacks from stopping or interfering with Microsoft Defender.</li><li>Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.</li><li>Cloud-based machine learning protections block a huge majority of new and unknown variants.</li><li>While this attack differs from traditional ransomware, following our defending against ransomware guidance helps protect against the credential theft, lateral movement, and ransomware deployment used by DEV-0960.</li><li>Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.</li><li>Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity, including VPNs. Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure your accounts.<br></li></ul>

Mitigation

<font>This campaign has several key features that set it apart from other Microsoft-tracked ransomware campaigns:</font><br><br><ul><li><font>The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity wasnot connected to any of the 94 currently active ransomware activity groups that Microsoft tracks.</font></li><li><font>The Prestige ransomware had not been observed by Microsoft prior to this deployment.</font></li><li><font>The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).</font><br></li></ul><br><div><font>Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper)&nbsp; that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. MSTIC has not yet linked this ransomware campaign to a known threat group&nbsp; and is continuing investigations. MSTIC is tracking this activity as DEV-0960.</font></div><br><h6>Observed Actor Activity</h6><ul><li><font>RemoteExec – a commercially available tool for agentless remote code execution.</font></li><li><font>Impacket WMIexec – an open-source script-based solution for remote code execution.</font></li><li><font>winPEAS – an open-source collection of scripts to perform privilege escalation on Windows.</font></li><li><font>comsvcs.dll – used to dump the memory of the LSASS process and steal credentials.</font></li><li><font>ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials.</font></li></ul><div><br></div><h6>Ransomware Deployment</h6><font>In all observed deployments, the attacker had already gained access to highly privileged credentials,<br>like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been<br>identified at this time, but in some instances it’s possible that the attacker might have already had<br>existing access to the highly privileged credentials from a prior compromise. In these instances, the<br>attack timeline starts with the attacker already having Domain Admin-level access and staging their<br>ransomware payload.</font>