Prestige Ransomware Aims at Ukrainian and Polish Organizations, Microsoft Warns

Microsoft disclosed that threat actors are deploying a new strain of ransomware dubbed Prestige against logistics and transportation organizations in Poland and Ukraine.

The new ransomware was noticed earlier this month in attacks that unfolded within one hour. According to Microsoft, several things set apart the recently discovered campaign from other tracked ransomware movements:

• Appears to be unrelated to any of the other 94 currently active ransomware groups tracked by the company
• Deploying ransomware enterprise-wide is uncommon in Ukraine
• Prestige ransomware appears to have a Russia-aligned agenda for acquiring its targets
• The activity overlaps with previous FoxBlade (HermeticWiper) malware victims

“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft’s security advisory reads. “MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations. MSTIC is tracking this activity as DEV-0960.”

Before deploying ransomware on the compromised systems, Prestige operators used RemoteExec and Impacket WMIexec, two remote code execution utilities. In some of the environments, threat actors extracted credentials and escalated privileges by using the following:

• comsvcs.dll – stealing credentials and dumping LSASS process memory
• ntdsutil.exe – backing up the Active Directory database
• winPEAS – escalating privileges on Windows

In all the observed incidents, the perpetrators already had access to elevated accounts before deploying the ransomware. Although the initial access vector has not been identified yet, Microsoft believes that the attackers could’ve exploited existing admin-level access from previous incidents.

The company included a set of mitigation tips against Prestige ransomware campaigns:

• Enable multi-factor authentication (MFA) to prevent threat actors from logging into potentially compromised accounts
• Stop lateral movement using Impacket’s WMIexec component by blocking process creations that originate from WMI and PSExec commands
• Use the indicators of compromise (IOC) included in the advisory to assess if your system has been compromised

Specialized software such as Bitdefender Ultimate Security can keep you safe from ransomware and other cybernetic threats with its extensive range of features, including:

• All-around, continuous monitoring against ransomware, Trojans, viruses, worms, rootkits, spyware, zero-day exploits, and other types of e-threats
• Network threat prevention that analyzes and identifies various types of suspicious network-level activities and blocks them before they can harm you
• Advanced threat defense module that meticulously scans active apps and takes instant action upon detecting suspicious activity
• Web-filtering technology that protects you against landing on harmful websites