IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft warns of 'Prestige' ransomware targeting business in Ukraine, Poland

The new strain appears to be operating independently of all known hacking groups currently in the region

An abstract image showing a series of blue 1's and 0's with the word ransomware displayed in red in the middle

Microsoft has warned of a new strain of ransomware, known as ‘Prestige’, that appears to be operating independently of known groups to target organisations across Ukraine and Poland.

Microsoft Threat Intelligence Center (MSTIC) first identified the novel ransomware on October 11, in attacks on companies within the transportation and logistics industry, all taking place within an hour of each other. In its ransom notes, the malware is simply identified as ‘Prestige ranusomware[sic].’

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

Unlike other ransomware campaigns targeting Ukrainian government and public services, Prestige appears to be only directed towards businesses The threat actor behind the ransomware has not yet been identified, but Microsoft have noted similarities between its operations and those of Russian state-sponsored threat actors, including a shared pool of victims with the HermeticWiper malware strain.

Specific attack vectors for Prestige are being investigated, but in all cases seen in the wild thus far, its operators already had privileged credentials within their victim’s network.

Across the attacks, three distinct methodologies were used to deploy Prestige. In the first, its payload was copied to the ADMIN$ share of a system and remotely executed through a Windows Scheduled Task using Impacket.

The second was largely similar save for the use of a PowerShell command to execute the payload, with the third seeing the payload copied to an Active Directory Domain Controller, which then automatically deployed the ransomware to connected systems.

“It seems that the malicious actors have added the physical supply chain to their targets, possibly signalling that direct cyber-attacks aimed at the Ukrainian and Polish critical infrastructure have failed,” stated Avishai Avivi, CISO at SafeBreach.

Like several other strains of malware, Prestige uses advanced encryption standard (AES) encryption to obfuscate the files of its victims, affecting all files ending in any file extension contained within a hard-coded list. However, it also differs from recent exotic malware strains written in the programming language Rust, or Go, as Prestige uses the more traditional C++, specifically the free cryptography library CryptoPP.

In its blog post on the discovery, Microsoft published a hardcoded RSA X509 public key used to encrypt each of the affected files. It is likely that each version of Prestige comes with its own individual key, but this has not yet been confirmed.

In advance of encryption, Prestige leverages control over the victim’s System32 directory to delete the functions associated with file redirection. It then deletes the system’s backup catalogue and all the volume shadow copies, which are backups and snapshots of files on a system that Windows automatically generates to safeguard data.

As is the case with most ransomware, a text file is then created on the victim’s device at path C:\Users\Public\README, containing a warning not to attempt to recover lost data and instructions on how to pay the threat actors for files to be returned. All encrypted data is appended with the extension ‘.enc’, which is registered under a custom file extension handler so that if any file is opened, the ransom note is instead opened. Custom file extensions have also been used in ransomware such as Gwisin, which has been found attacking pharmaceutical companies in South Korea.

MSTIC has advised organisations to follow best practice against ransomware, ensure good use of multi-factor authentication (MFA), and to watch out for a series of indicators of compromise (IoCs) within network environments. The unknown identity or goals of the strain, which has not been aligned with any of MSTIC's 94 tracked groups within the region, make it one of particular concern.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Major security exploits expected to rise before New Year
vulnerability

Major security exploits expected to rise before New Year

1 Nov 2022
Five common data security pitfalls
Whitepaper

Five common data security pitfalls

21 Oct 2022
WordPress plugin vulnerability leaves sites open to total takeover
vulnerability

WordPress plugin vulnerability leaves sites open to total takeover

14 Sep 2022
New approach to ransomware encryption threatens to undermine cyber security strategies
ransomware

New approach to ransomware encryption threatens to undermine cyber security strategies

12 Sep 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022