Microsoft attributes ‘Prestige’ ransomware attacks on Ukraine and Poland to Russian group

Microsoft officially attributed cyberattacks featuring the 'Prestige' ransomware to a hacking group based in Russia called Iridium.

The ransomware was used in a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland last month, according to a blog post released by Microsoft at the time. 

“As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack. IRIDIUM is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war,” the tech giant said on Thursday. 

Microsoft said it based the attribution on several indicators, including the infrastructure used in the attacks and forensic artifacts. 

The company’s security team said it found evidence that Iridium had compromised multiple Prestige victims going back as far as March. 

The group maintained access leading up to October, and Microsoft previously noted that the group behind the attacks had already gained a high level of access to targeted networks through still unknown means. 

Microsoft researchers said the campaign may “highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine.”

“More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war,” the researchers explained.

The report notes that Microsoft worked with Ukraine’s CERT UA — the country's main computer incident response organization — on the investigation into the attacks. 

Microsoft’s Threat Intelligence Center said last month that it found the malware deployed in “attacks occurring within an hour of each other across all victims.”

Russia has used a wide array of wipers and ransomware in its cyberattacks on Ukraine and other countries opposed to its invasion, which began in February. 

Prior to deploying the ransomware, the attackers were observed using two remote code execution tools: the commercially available RemoteExec as well as open-source solution Impacket WMIexec. In some environments, they used additional tools to extract credentials or gain additional access. 

Microsoft reported seeing three different methods for deploying the ransomware. Two involved attackers uploading the payload to an admin shared folder, then activating it on network systems using remote code tools to trigger them on victim systems. A third involved the payload being added to the Active Directory Domain Controller and deployed across networks. 

Such enterprise-wide deployment is uncommon in Ukraine and the activities were not linked to any of the 94 ransomware groups Microsoft was already tracking, the company said last month.