Microsoft is warning of a “novel” ransomware campaign targeting organizations in Ukraine and Poland leveraging a previously unidentified payload that was deployed in attacks just last week.
According to the Redmond, Wash. IT giant, the new ransomware labels itself as “Prestige ranusomeware” and features an enterprise-wide deployment model that is not common in attacks seen in Ukraine thus far. In addition, this activity does not appear to be connected to any of the 90-plus ransomware activity groups that Microsoft tracks.
In fact, this is the first time Microsoft has ever observed this ransomware strain in the wild.
The company says the activity shares some similarities with Russian state-aligned activity since its victims are Russia’s adversaries. Additionally, some of the victims of the ransomware overlap with victims of FoxBlade, a destructive malware deployed against Ukraine also known as HermeticWiper. Like other mass-deployment ransomware campaigns, the attacks all occurred within an hour of each other across all victims, Microsoft says.
However, this campaign is much different from recent wiper attacks that have impacted multiple critical infrastructure organizations in Ukraine, and it’s unclear which threat group is behind these ransomware attacks.
According to Microsoft, the threat actor behind these attacks uses two widely available remote execution tools, including the commercially available RemoteExec for agentless remote code execution and the open-source script-based remote code execution tool Impacket WMIExec.
To gain access to highly privileged credentials, the attackers use three main tools for privilege escalation and credential extraction, including:
- winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
- comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
- ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials
In all deployments observed by Microsoft, the attacker already had advanced privileges, including Domain Admin. Administrator privileges are required to run the ransomware. However, an initial access vector has not yet been identified, suggesting the threat actor had access from a prior compromise.
Also different with this ransomware campaign is the difference in methods used to deploy the ransomware.
In one method, the payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. In another, the ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Another deployment leverages an Active Directory Domain Controller and the Default Domain Group Policy Object.
Like other ransomware, Prestige attempts to stop the MSSQL Windows service to ensure successful encryption using the command C:\Windows\System32\net.exe stop MSSQLSERVER. The ransomware creates C:\Users\Public\README and stores the ransom note in the file. The same file is also created in the root directory of each drive, Microsoft says.
The ransomware then traverses the files on the file system and encrypts the contents of files while avoiding encrypting files in the C:\Windows\ and C:\ProgramData\Microsoft\ directories, according to the company.
To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. After encrypting each file, the ransomware appends the extension .enc to the existing extension of the file. For example, changes.txt is encrypted and then renamed to changes.txt.enc, Microsoft security experts say.
The ransomware then runs other commands to delete the backup catalog form the system to hinder system and file recovery, and also deletes all volume shadow copies on the system.
In addition to using multifactor authentication and enabling tamper protection and cloud-delivered protection in Microsoft Defender, Microsoft suggests blocking process creations originating from PSExec and WMI commands.
Read Microsoft’s blog on the Prestige ransomware for more information, including indicators of compromise, detections and advanced hunting queries.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply