Microsoft disclosed that threat actors are deploying a new strain of ransomware dubbed Prestige against logistics and transportation organizations in Poland and Ukraine.
The new ransomware was noticed earlier this month in attacks that unfolded within one hour. According to Microsoft, several things set apart the recently discovered campaign from other tracked ransomware movements:
“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft’s security advisory reads. “MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations. MSTIC is tracking this activity as DEV-0960.”
Before deploying ransomware on the compromised systems, Prestige operators used RemoteExec
and Impacket WMIexec
, two remote code execution utilities. In some of the environments, threat actors extracted credentials and escalated privileges by using the following:
comsvcs.dll
– stealing credentials and dumping LSASS process memoryntdsutil.exe
– backing up the Active Directory databasewinPEAS
– escalating privileges on WindowsIn all the observed incidents, the perpetrators already had access to elevated accounts before deploying the ransomware. Although the initial access vector has not been identified yet, Microsoft believes that the attackers could’ve exploited existing admin-level access from previous incidents.
The company included a set of mitigation tips against Prestige ransomware campaigns:
Specialized software such as Bitdefender Ultimate Security can keep you safe from ransomware and other cybernetic threats with its extensive range of features, including:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024