Microsoft reported that new Prestige ransomware is being used in attacks targeting transportation and logistics organizations in Ukraine and Poland.
The Prestige ransomware was first spotted on October 11 in attacks occurring within an hour of each other across all victims.
An important feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises.
According to Microsoft, this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.
Microsoft Threat Intelligence Center (MSTIC) published a report according to which the activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).
The researchers from cybersecurity firms ESET and Broadcom’s Symantec discovered the destructive wiper, HermeticWiper in February. The malicious code was employed in attacks that hit hundreds of machines in Ukraine.
This campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that hit several critical infrastructure organizations in Ukraine over the last two weeks.
MSTIC has not yet attributed the attacks to a known threat group, and it is tracking the campaign as DEV-0960.
Before deploying ransomware in the target networks, the threat actors were found using the following two remote execution utilities:
- RemoteExec – a commercially available tool for agentless remote code execution
- Impacket WMIexec – an open-source script-based solution for remote code execution
The researchers observed the threat actors using three methods to deploy the Prestige ransomware:
Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object
Once deployed, the Prestige ransomware drops a ransom note named “README.txt” in the root directory of each drive it encrypts.
Prestige uses the CryptoPP C++ library to AES-encrypt each eligible file, to prevent data recovery the ransomware deletes the backup catalog from the system.
Microsoft published a list of indicators of compromise (IOCs) and advanced hunting queries detect Prestige ransomware infections.
The post Prestige ransomware targets Polish and Ukrainian organizations first appeared on Cybersafe News.