A new ransomware strain has been discovered to be targeting organizations in the transportation and logistics industries in Ukraine and Poland with a previously unidentified ransomware payload, according to the Microsoft Threat Intelligence Center (MSTIC).
The MSTIC says that it observed this ransomware strain being deployed in attacks on October 11, 2022, and found a ransom note labeling itself as "Prestige ranusomeware." Security researchers say that this campaign has several notable features differentiating it from other campaigns tracked by Microsoft. Three features that stand out are:
- "The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks."
- "The Prestige ransomware had not been observed by Microsoft prior to this deployment."
- "The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)."
Microsoft has not yet linked the campaign to a known threat actor or group and has started tracking its activity as DEV-0960.
Prestige ransomware deployment methods
With ransomware attacks, you typically see a threat actor use a preferred method for payload deployment and execution, and that method tends to be consistent across victims, barring some security configuration that prevents this. With this Prestige campaign, the deployment methods varied across victim environments, and not because of security configurations.
Microsoft researchers say this is "especially notable as the ransomware deployments all occurred within one hour."
In the observed deployments, the threat actor had already obtained high-level credentials, such as Domain Admin, to facilitate the deployment. It has not been determined how the threat actor obtained initial access, but it's possible they already had access from a previous compromise.
There were three deployment methods observed by Microsoft.
Method 1: "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload."
Method 2: "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload."
Method 3: "The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object."
Microsoft reminds everyone that the threat landscape in Ukraine continues to evolve everyday, with data wipers and destructive attacks being a consistent theme, many of which rely on the same security weaknesses to succeed. Organizations should continue to build their security defenses to protect against these threats.
For more information, see the MSTIC's report on the Prestige ransomware campaign.
Follow SecureWorld News for more stories related to cybersecurity.