Microsoft reveals new Prestige ransomware campaign against Ukraine and Poland

On Friday 14th of October 2022, Microsoft released an article where they stated that the new novel ransomware campaign, Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks. This ransomware campaign was first Tuesday 11th of October 2022 when a series of attacks were detected within an hour of each other.

“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper),” – Microsoft Threat Intelligence Center (MSTIC).

Currently, Microsoft has yet to make a link between the Prestige ransomware attacks to a specific threat actor and therefore is being temporarily tracked as an activity cluster, DEV-0960. Observations of the threat group have shown that the group have used several methods to deploy the payloads across the victims’ networks.

In the article, three observed methods were highlighted:

• Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
• Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
• Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object