Microsoft warns of 'Prestige' ransomware targeting business in Ukraine, Poland

Microsoft has warned of a new strain of ransomware, known as ‘Prestige’, that appears to be operating independently of known groups to target organisations across Ukraine and Poland.

Microsoft Threat Intelligence Center (MSTIC) first identified the novel ransomware on October 11, in attacks on companies within the transportation and logistics industry, all taking place within an hour of each other. In its ransom notes, the malware is simply identified as ‘Prestige ranusomware[sic].’

Unlike other ransomware campaigns targeting Ukrainian government and public services, Prestige appears to be only directed towards businesses The threat actor behind the ransomware has not yet been identified, but Microsoft have noted similarities between its operations and those of Russian state-sponsored threat actors, including a shared pool of victims with the HermeticWiper malware strain.

Specific attack vectors for Prestige are being investigated, but in all cases seen in the wild thus far, its operators already had privileged credentials within their victim’s network.

Across the attacks, three distinct methodologies were used to deploy Prestige. In the first, its payload was copied to the ADMIN$ share of a system and remotely executed through a Windows Scheduled Task using Impacket.

The second was largely similar save for the use of a PowerShell command to execute the payload, with the third seeing the payload copied to an Active Directory Domain Controller, which then automatically deployed the ransomware to connected systems.

“It seems that the malicious actors have added the physical supply chain to their targets, possibly signalling that direct cyber-attacks aimed at the Ukrainian and Polish critical infrastructure have failed,” stated Avishai Avivi, CISO at SafeBreach.

Like several other strains of malware, Prestige uses advanced encryption standard (AES) encryption to obfuscate the files of its victims, affecting all files ending in any file extension contained within a hard-coded list. However, it also differs from recent exotic malware strains written in the programming language Rust, or Go, as Prestige uses the more traditional C++, specifically the free cryptography library CryptoPP.

In its blog post on the discovery, Microsoft published a hardcoded RSA X509 public key used to encrypt each of the affected files. It is likely that each version of Prestige comes with its own individual key, but this has not yet been confirmed.

In advance of encryption, Prestige leverages control over the victim’s System32 directory to delete the functions associated with file redirection. It then deletes the system’s backup catalogue and all the volume shadow copies, which are backups and snapshots of files on a system that Windows automatically generates to safeguard data.

As is the case with most ransomware, a text file is then created on the victim’s device at path C:\Users\Public\README, containing a warning not to attempt to recover lost data and instructions on how to pay the threat actors for files to be returned. All encrypted data is appended with the extension ‘.enc’, which is registered under a custom file extension handler so that if any file is opened, the ransom note is instead opened. Custom file extensions have also been used in ransomware such as Gwisin, which has been found attacking pharmaceutical companies in South Korea.

MSTIC has advised organisations to follow best practice against ransomware, ensure good use of multi-factor authentication (MFA), and to watch out for a series of indicators of compromise (IoCs) within network environments. The unknown identity or goals of the strain, which has not been aligned with any of MSTIC's 94 tracked groups within the region, make it one of particular concern.