Verticals Targeted: Transportation, Logistics
Executive Summary
Microsoft Threat Intelligence Center recently reported on Prestige ransomware. A novel ransomware family used to target entities in Ukraine and Poland in October 2022.
Key Takeaways
- Prestige ransomware is a newly discovered ransomware family used to target entities in Ukraine and Poland.
- Threat actors were observed using at least three different methods to deploy the ransomware in victim environments.
- Prestige uses CryptoPP C++ to AES encrypt files and appends encrypted files with the .enc extension.
What is Prestige?
Prestige ransomware is a novel ransomware family used to target entities in the transportation and logistics verticals in Ukraine and Poland in October 2022.
Microsoft noted Prestige differs from other ransomware campaigns in several ways. They noted ransomware deployed enterprise-wide is uncommon in Ukraine. The activity seems unrelated to any of the other ransomware families tracked by Microsoft and has never been observed by them previously. However, the activity shares victimology with those targeted by Russian state-sponsored threat actors and overlaps with previous victims of HermeticWiper.
Prior to the deployment of Prestige, the threat actors used two remote execution utilities, RemoteExec and Impacket WMIexec. To obtain credentials and privilege escalation, the threat actors used winPEAS, comsvcs.dll, and ntdsutil.exe. Threat actors obtained highly privileged credentials prior to installing Prestige. However, the initial access vector was not determined.
After obtaining the necessary credentials, the threat actors staged the payload. The method of deployment varied across victims, even though the infections were all deployed within an hour of one another. The following methods were observed:
- The threat actors copied the payload to the ADMIN$ share and used Impacket to create a Windows Scheduled Task on the victim machine to execute the payload.
- The threat actors copied the payload to the ADMIN$ share and used Impacket to remotely invoke a PowerShell command to execute the payload.
- The threat actors copied the payload to an Active Directory Domain Controller and used the Default Domain Group Policy Object to deploy the payload across multiple systems.
Microsoft notes Prestige requires admin privileges to run. The ransomware attempts to stop the MSSQL Windows service to facilitate encryption. It creates a directory at C:\Users\Public\README and places a ransom note in that directory and in the root directory of each drive. The ransom note notifies the victim of the file encryption and instructs them to contact the threat actors to “purchase decryption software.” The note warns victims not to try to decrypt data using other methods and to not modify or rename encrypted files.
Prestige then encrypts files, avoiding files in C:\Windows\ and C:\ProgramData\Microsoft\. It uses CryptoPP C++ to AES encrypt the files. Prestige appends encrypted files with the .enc extension. If the victim tries to open any file with the .enc extension, Notepad opens and displays the ransom note. Prestige also deletes the system’s backup catalog and all volume shadow copies. At present, this activity has not been attributed to a particular threat actor group.
IOCs
PolySwarm has a sample of Prestige.
5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57
You can use the following CLI command to search for all Prestige samples in our portal:
$ polyswarm link list -f Prestige
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports