Site icon The Cybersecurity Daily News

Organizations in Poland and Ukraine are affected by the new “Prestige” malware.

Prestige Malware

The Microsoft Threat Intelligence Center (MSTIC) has found evidence of a fresh ransomware campaign using a hitherto unnamed ransomware payload that targets businesses in the logistics and transportation sectors in Poland and Ukraine. On October 11, we saw the introduction of this new ransomware, which refers to itself in its ransom note as “Prestige Malware,” in attacks that took place across all victims within an hour of one another.

This ransomware attack stood out from others that Microsoft detected thanks to a number of distinguishing characteristics:

The spread of ransomware across entire organizations is uncommon in Ukraine, and this behavior was unrelated to any of the 94 ransomware activity groups that Microsoft is currently monitoring.

Microsoft was unaware of the Prestige malware prior to this distribution.

The action overlaps with prior FoxBlade victims and shares victimology with recent Russian state-aligned activities. Particularly in afflicted regions and nations (also known as HermeticWiper)

The effort is distinct from previous destructive attacks utilizing AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper), which have hit numerous critical infrastructure companies in Ukraine over the past two weeks, although using identical deployment methodologies. MSTIC is still conducting investigations but has not yet connected this ransomware attack to a recognized threat group. This behavior is being monitored by MSTIC as DEV-0960.

Ransomware deployment

In all instances where a prestige malware deployment was seen, the attacker already had access to extremely privileged credentials, such as Domain Admin. Although the initial access point has not yet been found, in some cases it’s probable that the attacker already had access to the highly privileged credentials as a result of a previous intrusion. In these situations, the attacker already has Domain Admin access and is prepping their ransomware payload at the beginning of the attack timeframe.

 This is particularly noteworthy because each malware deployment took place within an hour. The different strategies for ransomware distribution were:

Method 1: Impacket is used to remotely create a Windows Scheduled Task on target systems in order to execute the ransomware payload after the ransomware payload has been copied to the ADMIN$ share of a remote machine.

There are two further techniques that make use of the Default domain group policy object and Powershell commands.

Recommended customer actions

After an initial intrusion involving acquiring access to highly privileged credentials, the actor released the ransomware payload. By following the security recommendations given below, the methods employed by the actor. And outlined in the “Observed Actor Activity” section may be lessened:

Reference

Exit mobile version