Security News > 2022 > October > Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland
Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks.
"This activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment," MSTIC added.
At the moment, Microsoft is yet to link the Prestige ransomware attacks to a specific threat actor and is temporarily tracking this activity cluster as DEV-0960.
Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.
Once deployed, Prestige ransomware payloads will drop ransom notes named "README.txt" in the root directory of each drive it encrypts.
Microsoft shared a list of indicators of compromise and advanced hunting queries to help defenders detect and mitigate Prestige ransomware attacks.