The Microsoft Threat Intelligence Center (MSTIC) has found evidence of a fresh ransomware campaign using a hitherto unnamed ransomware payload that targets businesses in the logistics and transportation sectors in Poland and Ukraine. On October 11, we saw the introduction of this new ransomware, which refers to itself in its ransom note as “Prestige Malware,” in attacks that took place across all victims within an hour of one another.
This ransomware attack stood out from others that Microsoft detected thanks to a number of distinguishing characteristics:
The spread of ransomware across entire organizations is uncommon in Ukraine, and this behavior was unrelated to any of the 94 ransomware activity groups that Microsoft is currently monitoring.
Microsoft was unaware of the Prestige malware prior to this distribution.
The action overlaps with prior FoxBlade victims and shares victimology with recent Russian state-aligned activities. Particularly in afflicted regions and nations (also known as HermeticWiper)
The effort is distinct from previous destructive attacks utilizing AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper), which have hit numerous critical infrastructure companies in Ukraine over the past two weeks, although using identical deployment methodologies. MSTIC is still conducting investigations but has not yet connected this ransomware attack to a recognized threat group. This behavior is being monitored by MSTIC as DEV-0960.
In all instances where a prestige malware deployment was seen, the attacker already had access to extremely privileged credentials, such as Domain Admin. Although the initial access point has not yet been found, in some cases it’s probable that the attacker already had access to the highly privileged credentials as a result of a previous intrusion. In these situations, the attacker already has Domain Admin access and is prepping their ransomware payload at the beginning of the attack timeframe.
This is particularly noteworthy because each malware deployment took place within an hour. The different strategies for ransomware distribution were:
Method 1: Impacket is used to remotely create a Windows Scheduled Task on target systems in order to execute the ransomware payload after the ransomware payload has been copied to the ADMIN$ share of a remote machine.
There are two further techniques that make use of the Default domain group policy object and Powershell commands.
Recommended customer actions
After an initial intrusion involving acquiring access to highly privileged credentials, the actor released the ransomware payload. By following the security recommendations given below, the methods employed by the actor. And outlined in the “Observed Actor Activity” section may be lessened:
- To prevent lateral movement using the WMIexec component of Impacket, block process creations coming from PSExec and WMI instructions.
- To stop assaults from stopping or interfering with Microsoft Defender, enable Tamper protection.
- To cover continually changing attacker tools and strategies, enable cloud-delivered protection in Microsoft Defender Antivirus or its equivalent. The vast majority of novel and untested variations are blocked by cloud-based machine learning security measures.
- Despite the fact that this assault is different from conventional ransomware, avoiding credential theft, and lateral movement. And ransomware deployment techniques utilized by DEV-0960 are possible by following our advice on guarding against ransomware.
- Investigate their existence in your environment and make an assessment of potential intrusions using indicators of compromise that are presented.
- To reduce the risk of credentials being stolen, enable multifactor authentication (MFA). And make sure that it is enforced for all remote connectivity, including VPNs. All consumers are urged to download and use password-less programmes like Microsoft Authenticator to protect their accounts by Microsoft.