Microsoft Attributes Prestige Ransomware to a Russian Threat Actor
Category: Ransomware News | Industries: Humanitarian, Military | Level: Tactical | Source: Microsoft
The Microsoft Threat Intelligence Center (MSTIC) provided an update to the Prestige ransomware strain targeting organizations in Ukraine and Poland by updating their initial attribution of group DEV-0960 to IRIDIUM. MSTIC recognizes IRIDIUM as a Russian-based threat actor group who have initiated activity overlapping with Russia's General Staff Main Intelligence Directorate (GRU) threat group, Sandworm. The attribution from Microsoft is based on "forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known IRIDIUM activity. Review of technical artifacts available to Microsoft links IRIDIUM to interactive compromise activity at multiple Prestige victims as far back as March 2022." Microsoft credits its investigation with support from the Computer Emergency Response Team of Ukraine (CERT-UA). Campaigns launching Prestige ransomware have directly targeted humanitarian or military assistance programs supporting Ukraine and Eastern Europe organizations. No updates have been provided for the initial access vector the operators may have used. Two remote execution utilities, RemoteExec and Impacket WMIexec, are highlighted by MSTIC as tools the operators use in the post-exploitation stage. For credential theft, IRIDIUM used comsvcs.dll to dump from lsass memory or ntdsutil.exe to export Active Directory. To deploy the ransomware, MSTIC has observed IRIDIUM operators uploading the ransomware to an admin-shared folder such as Admin$ and using a remote admin tool to execute it or deploying the ransomware from an Active Directory Domain Controller. Activity from IRIDIUM is distinct as MSTIC notes "The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks."
- Prestige Ransomware: Pre-Deployment Behaviors
Anvilogic Use Cases:
- Remote Admin Tools
- Impacket/Empire's WMIExec
- comsvcs.dll Lsass Memory Dump