Security News > 2022 > October > Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland
Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.
"This activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment," MSTIC added.
At the moment, Microsoft is yet to link the Prestige ransomware attacks to a specific threat actor and is temporarily tracking this activity cluster as DEV-0960.
Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.
Once deployed, Prestige ransomware payloads will drop ransom notes named "README.txt" in the root directory of each drive it encrypts.
Microsoft shared a list of indicators of compromise and advanced hunting queries to help defenders detect and mitigate Prestige ransomware attacks.
News URL
Related news
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’ (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)