Go to listing page

Microsoft Attributes Prestige Ransomware to Russian Threat Actor

Microsoft Attributes Prestige Ransomware to Russian Threat Actor
In October, a new ransomware, dubbed Prestige, was found targeting transportation and logistics firms in Poland and Ukraine. Microsoft has finally attributed the ransomware to a Russian state-sponsored group it started tracking as Iridium. (Iridium is linked with the Sandworm APT group, another Russian nation-state threat actor.)

Prestige ransomware in action

Iridium and Prestige publicly overlap in tradecraft, victimology, infrastructure, and functionalities. Microsoft stated that Iridium targets operational technology and critical infrastructure entities.
  • The new findings revealed that several victims of Iridium, between March and October 2022, were also compromised using Prestige ransomware.
  • The Prestige campaign varies from destructive attacks by HermeticWiper (Foxblade) and CaddyWiper, which were used in some of the recent attacks against similar targets.
  • While the initial attack vector for Prestige remains unknown, it is suspected that the threat actor had access to highly privileged credentials to activate the killchain.

The campaign involving Prestige ransomware brings forth a shift in Iridium’s “destructive attack calculus,” indicating enterprises providing military or humanitarian assistance to Ukraine are at increased risk.

How does Prestige work?

First spotted on October 11, Prestige ransomware targeted transportation and logistics enterprises in Poland and Ukraine.  
  • Prestige ransomware, similar to other ransomware payloads, stops MSSQL Windows service to guarantee successful encryption.
  • The threat actors leveraged three methods for ransomware deployment. While two of them use Impacket, the other uses Default Domain Group Policy Object. (Impacket is an open-source framework that is capable of stealing credentials, moving laterally, and remote code execution.)

The bottom line

Since geopolitical warfare was initiated between Russia and Ukraine, wipers and destructive attacks have become a common theme. Microsoft recommends eliminating security weaknesses by enabling MFA, blocking process creations generated from WMI and PSExec, and following the provided IOCs.
Cyware Publisher

Publisher

Cyware