New Prestige Ransomware Attacks Polish and Ukrainian Organizations

by Emma Davis
October 18, 2022
New Prestige ransomware
Written by Emma Davis

Microsoft experts have discovered a new Prestige ransomware that is being used to attack transport and logistics organizations in Poland and Ukraine.

Although the researchers have not yet linked Prestige activity to specific attackers, the company noted that Prestige activity is similar to the attacks of the previously discovered FoxBlade malware.

Let me remind you that we also reported that Google Specialists Said That Former Members of Conti Are Attacking Ukrainian Organizations, and also that Sandworm Targets Ukraine With Industroyer2 Malware.

Analysts say that Prestige refers to itself as “Prestige ranusomeware” in its extortion notes, and the first attacks of this malware were recorded on October 11, 2022, when several incidents occurred with a difference of only one hour.

New Prestige ransomware

This activity is not associated with any of the 94 currently active ransomware groups that Microsoft is monitoring. Prior to these incidents, Prestige ransomware was not observed by Microsoft.the experts write.

So far, analysts have not linked the Prestige attacks to specific attackers and track this activity under the identifier DEV-0960. At the same time, the report notes that the activity of Prestige has a certain similarity with the attacks of the previously discovered malware FoxBlade (aka HermeticWiper). This destructive malware was used to attack Ukrainian organizations shortly before the start of a special military operation.

A Microsoft report says that Prestige operators use several methods to deploy payloads on victim networks, and this has nothing to do with what security measures the defenders use. Experts list three deployment methods:

  1. the ransomware payload is copied to the ADMIN$ shared folder, and the open source Impacket WMIexec is used to remotely create a scheduled task on target systems to execute the payload;
  2. the ransomware payload is copied to the ADMIN$ share, and Impacket WMIexec is used to remotely invoke an encoded PowerShell command on target systems to execute the payload;
  3. the ransomware payload is copied to an Active Directory domain controller and deployed to systems using the default domain group policy.

It is noted that the malware encrypts files based on a list of extensions and adds the .enc extension to all affected files. The Prestige uses the CryptoPP C++ library for AES encryption of each file and deletes all backups and shadow copies of all volumes to make it difficult to restore information.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending