Security News > 2022 > October > Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland
Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.
"This activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment," MSTIC added.
At the moment, Microsoft is yet to link the Prestige ransomware attacks to a specific threat actor and is temporarily tracking this activity cluster as DEV-0960.
Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.
Once deployed, Prestige ransomware payloads will drop ransom notes named "README.txt" in the root directory of each drive it encrypts.
Microsoft shared a list of indicators of compromise and advanced hunting queries to help defenders detect and mitigate Prestige ransomware attacks.
News URL
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud (source)
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- Microsoft says more ransomware stopped before reaching encryption (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)