A previously unseen threat group has hit a number of organizations in Poland Ukraine with a new strain of ransomware called Prestige, deploying the ransomware in all of the victim networks within about an hour and using several separate deployment methods.
The ransomware attack affected several organizations in the transportation and logistics sectors, and Microsoft researchers who observed evidence of the attacks said the intrusions don’t appear to be connected to any of the known ransomware groups that the company tracks. Although the Prestige ransomware itself is new, the victims and geography overlap with operations by known Russian-aligned threat actors. The ransomware deployments all occurred on Oct. 11, and MIcrosoft has designated the threat actor behind the operation as DEV-0960.
Details of the attacks are somewhat sparse, and Microsoft’s researchers are not sure how the attackers got into the victim networks in the first place.
“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft’s Threat Intelligence Center said in an analysis of the intrusions.
“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload.”
The Prestige ransomware itself is not all that remarkable. It requires admin privileges to execute and then stops the SQL Server Windows service before traversing the file system and encrypting files. What’s interesting about the intrusions is that the threat actor did not use just one method to deploy the ransomware. Rather, the actor employed three separate methods.
“For this DEV-0960 activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour,” the MSTIC analysis says.
Two of the methods involve copying the ransomware payload to the ADMIN$ share of the target system and then using the Impacket tool for remote code execution, one through the creation of a scheduled task, and the other through the use of a PowerShell command. The third method involves copying the payload to a Domain Controller and then deploying it organization-wide through a group policy object.
The ongoing invasion of Ukraine by Russia has led to plenty of cyber attacks, as well, but there has not been much in the way of ransomware activity. Wiper malware has been much more common in those attacks, though ransomware can be just as devastating.
“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed,” the MSTIC analysis says.