New ‘Prestige’ ransomware campaign targets Ukraine and Poland

A coordinated ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland this week with a previously unknown payload, researchers from Microsoft said Friday. 

The company’s Threat Intelligence Center said it observed the malware — which calls itself the “Prestige ranusomeware” in its note left on victim devices — deployed Tuesday in “attacks occurring within an hour of each other across all victims.”

Microsoft said it is still investigating and has not yet attributed the campaign to a known threat actor. However, the company wrote there are similarities to other attacks — including destructive wipers — that have targeted Ukraine and its allies since Russia invaded in February.

“The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware,” the company wrote. 

Researchers are tracking the activity under the designation DEV-0960 and released indicators of compromise to help detect infection. 

In all of the Prestige ransomware deployments observed by Microsoft, the attackers had already gained a high level of access to targeted networks through still unknown means. 

Prior to deploying the ransomware, the attackers were observed using two remote code execution tools: the commercially available RemoteExec as well as open-source solution Impacket WMIexec. In some environments, they used additional tools to extract credentials or gain additional access. 

Microsoft reported seeing three different methods for deploying the ransomware. Two involved attackers uploading the payload to an admin shared folder, then activating it on network systems using remote code tools to trigger them on victim systems. A third involved the payload being added to the Active Directory Domain Controller and deployed across networks. 

Such enterprise-wide deployment is uncommon in Ukraine and the activities were not linked to any of the 94 ransomware groups Microsoft was already tracking, the company said.