According to Microsoft, novel Prestige ransomware (tracked as DEV-0960 by researchers) is targeting transportation and logistics organizations in Ukraine and Poland. The ransomware was first spotted on October 11.
Diving into details
The MSTIC discovered that the attacker's action shares criminology with Russian state-aligned activity, and overlaps with FoxBlade malware aka HermeticWiper.
This attack was found sharing no connection with any of the 94 currently active ransomware activity groups that Microsoft tracks.
The company is notifying all of its customers who have been compromised and had their systems encrypted with this ransomware.
Deployment methods
MSTIC report highlights three methods used for the ransomware deployment:
- Method 1: The ransomware's payload is copied to a remote system's share ADMIN, and Impacket is used to remotely create a scheduled Windows task on the target systems to execute the payload.
- Method 2: Remote systems are infected with ransomware by copying the payload to their ADMIN$ shares. An encoded PowerShell command is invoked remotely on target systems using Impacket.
- Method 3: Using the Default Domain Group Policy Object, the ransomware payload is copied to a domain controller in Active Directory.
The encryption
- Every drive encrypted by Prestige ransomware will receive a ransom note named "README.txt" once it is deployed.
- It encrypts files based on extensions and adds .enc extension to the end of the file name after encryption.
- On compromised systems, it encrypts all matching files with AES and deletes the backup files and volume shadow copies to hinder recovery.
Conclusion
As the threat landscape in Ukraine evolves, ransomware and wiper attackers are increasingly relying on petty security weaknesses to succeed. Microsoft shared a list of indicators of compromise (IOCs) and advanced hunting queries to help defenders detect and mitigate Prestige ransomware attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d216_shutterstock_1450543319.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000083471505_Medium.jpg)
