2022-10-25

Ukraine and Poland Targeted by New 'Prestige' Ransomware

Level: 
Tactical
  |  Source: 
Microsoft
Share:

Ukraine and Poland Targeted by New 'Prestige' Ransomware

Category: Ransomware News | Industry: N/A | Level: Tactical | Source: Microsoft

The Microsoft Threat Intelligence Center (MSTIC) has discovered new ransomware named 'Prestige' targeting organizations in Ukraine and Poland. The threat actors behind the malware appear to be a new group tracked as DEV-0960, their tradecraft does not align with other ransomware groups, however the group's victim profile aligns with those of Russian-state actors. Activity from ransomware was first seen on October 11th, 2022, "in attacks occurring within an hour of each other across all victims." Initial access details are currently not reported. Activity the ransomware operators conducted prior to the ransomware deployment included using remote execution utilities such as RemoteExec and Impacket's WMIexec script. Additionally, operators achieved privilege escalation and credential theft with tools and techniques including winPEAS, comsvcs.dll, and ntdsutil.exe. Once privilege escalation and credential theft objectives had been accomplished, the operators proceeded to deploy the ransomware using three different techniques. The first two methods involve copying the prestige ransomware into the ADMIN$ share and deploying the malware through (1) a scheduled task or (2) invoking it with an encoded PowerShell command. In the third method, the attackers copy the ransomware into an Active Directory Domain Controller and push it out through a group policy. The ransomware when executed would stop services running on the host, delete shadow copies, and encrypt files based on the attacker's specified file extension list. Microsoft's intelligence continues to track cyber activity associated with the conflict between Russia and Ukraine. The deployment of Prestige ransomware has been recognized as new activity. "Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks."

Anvilogic Scenario:

  • Prestige Ransomware: Pre-Deployment Behaviors

Anvilogic Use Cases:

  • Remote Admin Tools
  • Impacket/Empire's WMIExec
  • comsvcs.dll Lsass Memory Dump

Get trending threats published weekly by the Anvilogic team.

Sign Up Now