New 'Prestige' ransomware targets Ukraine, Poland: Microsoft
The activity seems to overlap with the victims of FoxBlade or HermeticWiper malware
Microsoft says it has found evidence of a new ransomware campaign targeting businesses in the logistics and transportation sectors in Poland and Ukraine utilising a payload that has not been seen before.
On Tuesday, October 11, the ransomware, which refers to itself as "Prestige ranusomeware" in its ransom notes, was used in attacks that occurred across multiple victims within an hour of one another, the Microsoft Threat Intelligence Center (MSTIC) said in a blog post.
MSTIC stated that it had not been able to track the attacks to any known groups yet. However, the researchers discovered that the attacks were very similar to past attacks on Ukrainian government organisations by a threat actor with ties to the Russian government.
'Prestige' ransomware activity seems to have overlapped with the victims of FoxBlade or HermeticWiper malware that targeted hundreds of systems in Ukraine, Latvia and Lithuania in February at the start of Russia's invasion of Ukraine.
MSTIC is using the identifier DEV-0960 for this activity.
Microsoft uses the DEV-#### designations to give a temporary name to a cluster of threat activity that is unknown, emerging, or developing. This allows MSTIC to track the activity as a distinct set of information until the researchers gain high confidence in the identity of the actor responsible for the activity.
According to Microsoft, the DEV-0960 activity included the use of the following two remote execution utilities prior to deploying the ransomware:
- Commercially available RemoteExec tool for agentless remote code execution
- Open-source script-based solution Impacket WMIexec for remote code execution
In some instances, DEV-0960 exploited the following tools for privilege escalation and credential extraction to get access to gain access to highly privileged credentials:
- winPEAS - a collection of open-source scripts for Windows privilege escalation
- comsvcs.dll - used to dump the memory of the LSASS process and steal login details
- ntdsutil.exe - used to back up the Active Directory database, likely for using credentials at a later time
In all instances where a ransomware deployment was seen, the attacker already had access to highly privileged credentials, such as Domain Admin.
The attackers deployed the payloads throughout the victim networks using a variety of techniques.
One technique used by the gang involved copying the ransomware payload to the ADMIN$ share of a distant system, then using Impacket to remotely create a Windows Scheduled Task on target systems to execute the payload.
Another technique included copying the ransomware payload to the ADMIN$ share of a remote system and then usingImpacket to remotely execute a PowerShell command on target systems to execute the payload.
The ransomware payload was copied to an Active Directory Domain Controller in the third method, which then used the Default Domain Group Policy Object to deploy the malware.
Once deployed, Prestige ransomware payloads dropped "README.txt" ransomware note in the root directory of each drive it encrypted.
Microsoft advises customers to deploy multifactor authentication (MFA) in order to reduce the risk of credentials being stolen and to ensure that MFA is enforced for all forms of remote connection, including VPNs.
To prevent lateral movement using the WMIexec component of Impacket, Microsoft advises blocking process creations originating from PSExec and WMI commands. In order to safeguard their accounts, users are advises to download and utilise password-less solutions.