HQ/EMEAFind out how we can help your business
Threat actors used the newly uncovered Prestige ransomware to target logistics and transportation companies in Poland and Ukraine. Based on reports, the new ransomware was initially used earlier this month.
Researchers noted that the ransomware operators launched the ransomware payloads on several victims’ enterprise networks, which is a peculiar strategy for targeting Ukrainian entities.
Moreover, the ransomware activities are identical to the target selection of a current Russian-backed cybercriminal campaign—the Prestige ransomware and HermeticWiper malware target countries with a geographical advantage for the Russian army.
The HermeticWiper is a malicious malware that is notorious for data-wiping attacks. Researchers first saw it compromising Ukrainian companies before the geopolitical crisis between Russia and Ukraine occurred.
However, Microsoft’s research team has yet to attribute Prestige to threat actors. Additionally, the group is still tracked as a threat group called DEV-0960.
Authorities have been cooperating with organisations that have been impacted and had their systems encrypted by the Prestige ransomware.
Prestige ransomware has three known methods for conducting cybercriminal attacks.
Prestige ransomware’s first attack method is its payload copied to the ADMIN$ share of a remote system. Subsequently, operators use an Impacket to remotely develop a Windows Schedules Task on a targeted system to run the payload.
The following method is that the ransomware payload is also duplicated to the ADMIN$ share of a remote system. It also uses an Impacket to remotely operate an encoded PowerShell command on a targeted system to activate the payload.
The last method is that the ransomware payload is facsimiled to an Active Directory Domain Controller and launched to the targeted system via Default Domain Group Policy Object.
Once any of the three methods deploy the Prestige, the payloads will drop ransom noted coded as ‘README[.]txt’ in the directory of each drive it compromises.
The ransomware encrypts files based on extensions corresponding to a predefined list and appends the [.]enc extension at the last part of the files’ names after encryption. Lastly, it uses the CryptoPP C++ library to AES-encrypt each corresponding file on the affected systems. It will wipe the backup catalogue and all shadow copies to obstruct any recovery process.
