Prestige ransomware targets organizations across Ukraine and Poland, Microsoft discloses

A novel ransomware campaign, which labels itself in its ransom note as ‘Prestige ranusomeware,’ has been targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload, the Microsoft Threat Intelligence Center (MSTIC) disclosed last week. The ransomware campaign has not yet been linked to a known threat group and is continuing investigations, and MSTIC is tracking the activity as ‘DEV-0960.’

The researchers identified evidence of the new Prestige ransomware being deployed on Oct.11 in attacks occurring within an hour of each other across all victims, the MSTIC team wrote in a blog post. 

The Prestige campaign had several notable features that differentiate it from other Microsoft-tracked ransomware campaigns, the researchers said. These include enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. Additionally, the Prestige ransomware had not been observed by Microsoft prior to this deployment, and the activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware, also known as HermeticWiper, it added. 

The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme, MSTIC said. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats.

MSTIC said that despite using similar deployment techniques, the Prestige campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. 

Prior to deploying ransomware, the DEV-0960 activity included using two remote execution utilities. Firstly, the RemoteExec, a commercially available tool for agentless remote code execution, and secondly, Impacket WMIexec, an open-source script-based solution for remote code execution. 

To gain access to highly privileged credentials, in some of the environments, some of the tools used by Prestige ransomware for privilege escalation and credential extraction include winPEAS, an open-source collection of scripts to perform privilege escalation on Windows, or comsvcs[dot]dll used to dump the memory of the LSASS process and steal credentials, or ntdsutil[dot]exe used to back up the Active Directory database, likely for later use credentials. 

Microsoft said that in observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. “Initial access vector has not been identified at this time, but in some instances, it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload,” it added.

Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims unless a security configuration prevents their preferred method, MSTIC said. “For this DEV-0960 activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour,” it added.

Some of the distinct methods for ransomware deployment models were the ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. Secondly, the ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Thirdly, the ransomware payload is copied to an Active Directory domain controller and deployed to systems using the default domain group policy object.

Earlier this month, a joint Cybersecurity Advisory (CSA) was released by U.S. cybersecurity agencies disclosing the use of Impacket and Exfiltration tool to steal sensitive information from a defense industrial base (DIB) organization. Additionally, from November last year through January, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a DIB sector organization’s enterprise network. The advisory, however, did not clarify why the information was being made after several months.

MSTIC said that Prestige ransomware requires administrative privileges to run. Like many ransomware payloads, it attempts to stop the MSSQL Windows service to ensure successful encryption. It then creates ‘C:\Users\Public\README’ and stores a ransom note in the file. The same file is also created in the root directory of each drive. “Prestige then traverses the files on the file system and encrypts the contents of files that have one of the following hardcoded file extensions, avoiding encrypting files in the C:\Windows\ and C:\ProgramData\Microsoft\ directories,” the researchers added.

“After encrypting each file, the ransomware appends the extension .enc to the existing extension of the file,” MSTIC said. “For example, changes.txt is encrypted and then renamed to changes.txt.enc. Prestige uses the following two commands to register a custom file extension handler for files with .enc file extension,” they added. 

MSTIC said that as a result of creating the custom file extension handler, when any file carrying the file extension [dot]enc (i.e., encrypted by Prestige) is opened by a user, the file extension handler uses Notepad to open ‘C:\Users\Public\README,’ which contains the ransom note. To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. Additionally, Prestige runs a command to delete all volume shadow copies on the system. 

Microsoft will continue to monitor DEV-0960 activity and implement protections for customers. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.