Microsoft has uncovered a novel ransomware campaign aimed at transportation and logistics industries in Ukraine and Poland that uses a previously unidentified ransomware payload.
In the attacks, the hackers left a ransom note in which they named the malware as “Prestige ransomware,” first deployed on October 11 in attacks occurring within an hour of each other across all victims. The origin of the attacks and the perpetrators are unknown. Microsoft first reported the attacks in a blog post on October 14.
It’s unclear if the attacks will be confined to Ukraine and Poland or if the hackers will advance on other countries. Similarly, it’s not known if the attackers will target other critical infrastructure facilities in Ukraine, Poland and elsewhere.
Attacks Familiar But Different
According to Microsoft, the operation mirrors other attacks on Ukraine launched by Russia-backed operatives yet has some features that differentiate it from other ransomware campaigns supported by Moscow. Still, Microsoft has yet to link the attacks to any specific group. The vendor has labeled the activity as DEV-0960.
Here’s what you need to know about Prestige ransomware:
- The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks.
- The Prestige ransomware had not been observed by Microsoft prior to this deployment.
- The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).
- The campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks.
- Microsoft said it is “actively working” with the security community and other partners. While the company didn’t specifically mention managed security service partners, it’s a reasonable assumption that they’ve been engaged at a forensic level.
To deploy the Prestige bug, the attackers had to first gain access to highly privileged credentials, such as Domain Admin. It’s possible, Microsoft said, that the hijackers had previously gained the highly privileged credential from prior attacks.
Ransomware Methods Explained
Microsoft identified three methods of the attackers used to deploy the ransomware:
- Method 1. The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload
- Method 2. The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload
- Method 3. The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.
Microsoft security researchers have identified five indicators of compromise, of which admins should take note. Microsoft said that the following list is not "exhaustive":
- 5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d
- 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57
- 6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c
- A32bbc5df4195de63ea06feb46cd6b55
- C:\Users\Public\README
How to Protect Your Assets
Microsoft recommended six mitigations to prevent the attackers from gaining a foothold by commandeering administrative privileges:
- Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket.
- Enable Tamper protection to prevent attacks from stopping or interfering with Microsoft Defender.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- While this attack differs from traditional ransomware, Microsoft recommended users deploy its ransomware guidance helps protect against the credential theft, lateral movement, and ransomware deployment used by DEV-0960.
- Admins and users should use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity, including VPNs. Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure your accounts.