Microsoft warns of 'Prestige' ransomware targeting business in Ukraine, Poland

An abstract image showing a series of blue 1's and 0's with the word ransomware displayed in red in the middle

Microsoft has warned of a new strain of ransomware, known as ‘Prestige’, that appears to be operating independently of known groups to target organisations across Ukraine and Poland.

Microsoft Threat Intelligence Center (MSTIC) first identified the novel ransomware on October 11, in attacks on companies within the transportation and logistics industry, all taking place within an hour of each other. In its ransom notes, the malware is simply identified as ‘Prestige ranusomware[sic].’

RELATED RESOURCE

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

FREE DOWNLOAD

Unlike other ransomware campaigns targeting Ukrainian government and public services, Prestige appears to be only directed towards businesses The threat actor behind the ransomware has not yet been identified, but Microsoft have noted similarities between its operations and those of Russian state-sponsored threat actors, including a shared pool of victims with the HermeticWiper malware strain.

Specific attack vectors for Prestige are being investigated, but in all cases seen in the wild thus far, its operators already had privileged credentials within their victim’s network.

Across the attacks, three distinct methodologies were used to deploy Prestige. In the first, its payload was copied to the ADMIN$ share of a system and remotely executed through a Windows Scheduled Task using Impacket.

The second was largely similar save for the use of a PowerShell command to execute the payload, with the third seeing the payload copied to an Active Directory Domain Controller, which then automatically deployed the ransomware to connected systems.

“It seems that the malicious actors have added the physical supply chain to their targets, possibly signalling that direct cyber-attacks aimed at the Ukrainian and Polish critical infrastructure have failed,” stated Avishai Avivi, CISO at SafeBreach.

Like several other strains of malware, Prestige uses advanced encryption standard (AES) encryption to obfuscate the files of its victims, affecting all files ending in any file extension contained within a hard-coded list. However, it also differs from recent exotic malware strains written in the programming language Rust, or Go, as Prestige uses the more traditional C++, specifically the free cryptography library CryptoPP.

In its blog post on the discovery, Microsoft published a hardcoded RSA X509 public key used to encrypt each of the affected files. It is likely that each version of Prestige comes with its own individual key, but this has not yet been confirmed.

In advance of encryption, Prestige leverages control over the victim’s System32 directory to delete the functions associated with file redirection. It then deletes the system’s backup catalogue and all the volume shadow copies, which are backups and snapshots of files on a system that Windows automatically generates to safeguard data.

As is the case with most ransomware, a text file is then created on the victim’s device at path C:\Users\Public\README, containing a warning not to attempt to recover lost data and instructions on how to pay the threat actors for files to be returned. All encrypted data is appended with the extension ‘.enc’, which is registered under a custom file extension handler so that if any file is opened, the ransom note is instead opened. Custom file extensions have also been used in ransomware such as Gwisin, which has been found attacking pharmaceutical companies in South Korea.

MSTIC has advised organisations to follow best practice against ransomware, ensure good use of multi-factor authentication (MFA), and to watch out for a series of indicators of compromise (IoCs) within network environments. The unknown identity or goals of the strain, which has not been aligned with any of MSTIC's 94 tracked groups within the region, make it one of particular concern.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.