Microsoft Reports New “Prestige Ransomware” Targeting Transportation and Logistics Organizations in Ukraine and Poland
Microsoft’s Threat Intelligence Center has revealed that a fresh ransomware campaign named “Prestige ransomware” is currently targeting transport and logistics organizations in Ukraine and Poland. This novel ransomware strain was discovered on October 11 and aimed at several victims within a single hour, according to the Center. Researchers were unable to link this strain to any of the 94 active ransomware groups currently under investigation. Although the victim profiles are similar to recent Russian state-associated activities and have an overlap with previous victims of the HermeticWiper malware, researchers stated that this campaign is different from those destructive attacks. The latter has been targeting Ukrainian organizations since before the Russian invasion in February. Russia is among the leading centers of ransomware globally, where many top criminal hacking groups operate and maintain an ambiguous and symbiotic relationship with the Kremlin and intelligence agencies.
Microsoft is currently investigating this situation and has temporarily labeled the campaign as DEV-0960. The company is also contacting affected users who have not yet paid a ransom. Researchers noted that the campaign used three different methods to distribute the payloads across the victims’ network, which is unusual for ransomware attacks. The majority of ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, which usually remains consistent across victims, except when a security configuration prevents their preferred method. However, for the DEV-0960 operation, the techniques used to distribute the ransomware differed across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same tactics. In one approach, the ransomware payload is copied to the ADMIN$ share of a remote system, and an Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload.