A new ransomware family has been observed targeting transportation and related logistics organizations in Ukraine and Poland, Microsoft warns.
Initially observed last week, the activity surrounding the new malware family, which labels itself Prestige, does not appear to be connected with any of the ransomware or threat groups that Microsoft currently tracks, and is currently referred to as DEV-0960.
However, the tech giant warns of potential overlaps with previously observed Russian state-sponsored activity through victimology, as some of the targeted organizations were previously hit with the destructive HermeticWiper malware (also known as FoxBlade).
“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft says.
DEV-0960, the tech giant says, typically relies on tools such as RemoteExec and Impacket WMIexec to obtain remote code execution on the target environments, and may also use winPEAS, comsvcs.dll, and ntdsutil.exe to escalate privileges and steal Active Directory credentials.
For ransomware deployment, the attackers abuse high privileged credentials such as Domain Admin, likely obtained from previous compromise, as the attack timeline began with the attackers “already having Domain Admin-level access and staging their ransomware payload”.
According to Microsoft, all the observed Prestige deployments occurred within one hour, but the attackers used distinct methods for ransomware deployment, including execution from the ADMIN$ share of a remote system via Impacket, or execution from a domain controller via a group policy.
Prestige requires admin privileges for execution, encrypts the contents of files that have specific extensions, appends ‘.enc’ to the file’s name (including the current extension), and drops a ransom note in the C:UsersPublic folder.
The ransomware also registers a custom file extension handler so that, whenever a user attempts to open a .enc file, the ransom note is opened instead, using Notepad.
Prestige also deletes from the system the backup catalog and all volume shadow copies, and disables and reenables file system redirection before and after that.
“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats,” Microsoft concludes.