The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims.
A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises.
Microsoft noticed that this campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch) or Foxblade (HermeticWiper) that hit several critical infrastructure organizations in Ukraine over the last two weeks.
MSTIC has not yet attributed the attacks to a known threat group, meantime, it is tracking the campaign as DEV-0960.
Before deploying ransomware in the target networks, the threat actors were observed using the following two remote execution utilities:
- RemoteExec – a commercially available tool for agentless remote code execution
- Impacket WMIexec – an open-source script-based solution for remote code execution
MSTIC researchers observed the threat actors using three methods to deploy the Prestige ransomware:
- Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
- Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
- Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object
Once deployed, the Prestige ransomware drops a ransom note named “README.txt” in the root directory of each drive it encrypts.
Prestige uses the CryptoPP C++ library to AES-encrypt each eligible file, to prevent data recovery the ransomware deletes the backup catalog from the system.
|5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d||SHA-256||Prestige ransomware payload|
|5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57||SHA-256||Prestige ransomware payload|
|6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c||SHA-256||Prestige ransomware payload|
|a32bbc5df4195de63ea06feb46cd6b55||Import hash||Unique PE Import Hash shared by ransomware payloads|
|C:\Users\Public\README||File path||File path of the ransom note|