Microsoft warns of 'Prestige' ransomware targeting business in Ukraine, Poland
The new strain appears to be operating independently of all known hacking groups currently in the region


Microsoft has warned of a new strain of ransomware, known as ‘Prestige’, that appears to be operating independently of known groups to target organisations across Ukraine and Poland.
Microsoft Threat Intelligence Center (MSTIC) first identified the novel ransomware on October 11, in attacks on companies within the transportation and logistics industry, all taking place within an hour of each other. In its ransom notes, the malware is simply identified as ‘Prestige ranusomware[sic].’
RELATED RESOURCE
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
Unlike other ransomware campaigns targeting Ukrainian government and public services, Prestige appears to be only directed towards businesses The threat actor behind the ransomware has not yet been identified, but Microsoft have noted similarities between its operations and those of Russian state-sponsored threat actors, including a shared pool of victims with the HermeticWiper malware strain.
Specific attack vectors for Prestige are being investigated, but in all cases seen in the wild thus far, its operators already had privileged credentials within their victim’s network.
Across the attacks, three distinct methodologies were used to deploy Prestige. In the first, its payload was copied to the ADMIN$ share of a system and remotely executed through a Windows Scheduled Task using Impacket.
The second was largely similar save for the use of a PowerShell command to execute the payload, with the third seeing the payload copied to an Active Directory Domain Controller, which then automatically deployed the ransomware to connected systems.
“It seems that the malicious actors have added the physical supply chain to their targets, possibly signalling that direct cyber-attacks aimed at the Ukrainian and Polish critical infrastructure have failed,” stated Avishai Avivi, CISO at SafeBreach.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Like several other strains of malware, Prestige uses advanced encryption standard (AES) encryption to obfuscate the files of its victims, affecting all files ending in any file extension contained within a hard-coded list. However, it also differs from recent exotic malware strains written in the programming language Rust, or Go, as Prestige uses the more traditional C++, specifically the free cryptography library CryptoPP.
In its blog post on the discovery, Microsoft published a hardcoded RSA X509 public key used to encrypt each of the affected files. It is likely that each version of Prestige comes with its own individual key, but this has not yet been confirmed.
In advance of encryption, Prestige leverages control over the victim’s System32 directory to delete the functions associated with file redirection. It then deletes the system’s backup catalogue and all the volume shadow copies, which are backups and snapshots of files on a system that Windows automatically generates to safeguard data.
As is the case with most ransomware, a text file is then created on the victim’s device at path C:\Users\Public\README, containing a warning not to attempt to recover lost data and instructions on how to pay the threat actors for files to be returned. All encrypted data is appended with the extension ‘.enc’, which is registered under a custom file extension handler so that if any file is opened, the ransom note is instead opened. Custom file extensions have also been used in ransomware such as Gwisin, which has been found attacking pharmaceutical companies in South Korea.
MSTIC has advised organisations to follow best practice against ransomware, ensure good use of multi-factor authentication (MFA), and to watch out for a series of indicators of compromise (IoCs) within network environments. The unknown identity or goals of the strain, which has not been aligned with any of MSTIC's 94 tracked groups within the region, make it one of particular concern.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Cloudflare is cracking down on AI web scrapers
News Cloudflare CEO Matthew Prince said AI companies have been "scraping content without limits" - now the company is cracking down.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.