Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland

A new ransomware family has been observed targeting transportation and related logistics organizations in Ukraine and Poland, Microsoft warns.

A new ransomware family has been observed targeting transportation and related logistics organizations in Ukraine and Poland, Microsoft warns.

Initially observed last week, the activity surrounding the new malware family, which labels itself Prestige, does not appear to be connected with any of the ransomware or threat groups that Microsoft currently tracks, and is currently referred to as DEV-0960.

However, the tech giant warns of potential overlaps with previously observed Russian state-sponsored activity through victimology, as some of the targeted organizations were previously hit with the destructive HermeticWiper malware (also known as FoxBlade).

“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft says.

DEV-0960, the tech giant says, typically relies on tools such as RemoteExec and Impacket WMIexec to obtain remote code execution on the target environments, and may also use winPEAS, comsvcs.dll, and ntdsutil.exe to escalate privileges and steal Active Directory credentials.

For ransomware deployment, the attackers abuse high privileged credentials such as Domain Admin, likely obtained from previous compromise, as the attack timeline began with the attackers “already having Domain Admin-level access and staging their ransomware payload”.

According to Microsoft, all the observed Prestige deployments occurred within one hour, but the attackers used distinct methods for ransomware deployment, including execution from the ADMIN$ share of a remote system via Impacket, or execution from a domain controller via a group policy.

Prestige requires admin privileges for execution, encrypts the contents of files that have specific extensions, appends ‘.enc’ to the file’s name (including the current extension), and drops a ransom note in the C:UsersPublic folder.

Advertisement. Scroll to continue reading.

The ransomware also registers a custom file extension handler so that, whenever a user attempts to open a .enc file, the ransom note is opened instead, using Notepad.

Prestige also deletes from the system the backup catalog and all volume shadow copies, and disables and reenables file system redirection before and after that.

“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats,” Microsoft concludes.

Related: Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Related: Russia Coordinating Cyberattacks With Military Strikes in Ukraine: Microsoft

Related: Ukraine Says Russia Planning ‘Massive Cyberattacks’ on Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.