Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland

A new ransomware family has been observed targeting transportation and related logistics organizations in Ukraine and Poland, Microsoft warns.

A new ransomware family has been observed targeting transportation and related logistics organizations in Ukraine and Poland, Microsoft warns.

Initially observed last week, the activity surrounding the new malware family, which labels itself Prestige, does not appear to be connected with any of the ransomware or threat groups that Microsoft currently tracks, and is currently referred to as DEV-0960.

However, the tech giant warns of potential overlaps with previously observed Russian state-sponsored activity through victimology, as some of the targeted organizations were previously hit with the destructive HermeticWiper malware (also known as FoxBlade).

“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft says.

DEV-0960, the tech giant says, typically relies on tools such as RemoteExec and Impacket WMIexec to obtain remote code execution on the target environments, and may also use winPEAS, comsvcs.dll, and ntdsutil.exe to escalate privileges and steal Active Directory credentials.

For ransomware deployment, the attackers abuse high privileged credentials such as Domain Admin, likely obtained from previous compromise, as the attack timeline began with the attackers “already having Domain Admin-level access and staging their ransomware payload”.

According to Microsoft, all the observed Prestige deployments occurred within one hour, but the attackers used distinct methods for ransomware deployment, including execution from the ADMIN$ share of a remote system via Impacket, or execution from a domain controller via a group policy.

Prestige requires admin privileges for execution, encrypts the contents of files that have specific extensions, appends ‘.enc’ to the file’s name (including the current extension), and drops a ransom note in the C:UsersPublic folder.

The ransomware also registers a custom file extension handler so that, whenever a user attempts to open a .enc file, the ransom note is opened instead, using Notepad.

Prestige also deletes from the system the backup catalog and all volume shadow copies, and disables and reenables file system redirection before and after that.

“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats,” Microsoft concludes.

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: Russia Coordinating Cyberattacks With Military Strikes in Ukraine: Microsoft

Related: Ukraine Says Russia Planning ‘Massive Cyberattacks’ on Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.