Skip to main content
Microsoft Security

New “Prestige” ransomware impacts organizations in Ukraine and Poland

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. IRIDIUM is now tracked as Seashell Blizzard.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

November 10, 2022 update: MSTIC has updated this blog to document assessed attribution of DEV-0960 as IRIDIUM, the actor that executed the Prestige ransomware-style attacks.

The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. We observed this new ransomware, which labels itself in its ransom note as “Prestige ranusomeware”, being deployed on October 11 in attacks occurring within an hour of each other across all victims.

Attribution to IRIDIUM

As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack. IRIDIUM is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war. This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known IRIDIUM activity. Review of technical artifacts available to Microsoft links IRIDIUM to interactive compromise activity at multiple Prestige victims as far back as March 2022 and continuing within the week leading up to the October 2022 attack discussed in the blog below.

The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.

Microsoft would like to acknowledge CERT UA for their cooperation and information sharing to assist in our investigations. CERT UA continues to demonstrate incredible resolve and commitment to security despite physical danger.

Observed actor activity

This ransomware campaign had several notable features that differentiate it from other Microsoft-tracked ransomware campaigns:

Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations. MSTIC is tracking this activity as IRIDIUM.

This blog aims to provide awareness and indicators of compromise (IOCs) to Microsoft customers and the larger security community. Microsoft continues to monitor this and is in the process of early notification to customers impacted by IRIDIUM but not yet ransomed. MSTIC is also actively working with the broader security community and other strategic partners to share information that can help address this evolving threat through multiple channels.

Pre-ransomware activities

Prior to deploying ransomware, the IRIDIUM activity included the use of the following two remote execution utilities:

To gain access to highly privileged credentials, in some of the environments, IRIDIUM used these tools for privilege escalation and credential extraction:

Ransomware deployment

In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload.

Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred method. For this IRIDIUM activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour. The distinct methods for ransomware deployment were:

Malware analysis

The “Prestige” ransomware requires administrative privileges to run. Like many ransomware payloads, it attempts to stop the MSSQL Windows service to ensure successful encryption using the following command (the strings “C:\Windows\System32\net.exe stop” and “MSSQLSERVER” are both hardcoded in the analyzed samples):

Screenshot of command line

Prestige creates C:\Users\Public\README and stores the following ransom note in the file. The same file is also created in the root directory of each drive:

Screenshot of the ransom note, which says:

YOU PERSONAL FILES HAVE BEEN ENCRYPTED.

To decrypt all the data, you will need to purchase our decryption software.
Contact us Prestige.ranusomeware@Proton.me. In the letter, type your ID = <REDACTED>.

* ATTENTION *
- Do not try to decrypt your data using third party software, it may cause permanent data loss.
- Do not modify or rename encrypted files. You will lose them.
Prestige ransom note

Prestige then traverses the files on the file system and encrypts the contents of files that have one of the following hardcoded file extensions, avoiding encrypting files in the C:\Windows\ and C:\ProgramData\Microsoft\ directories:

After encrypting each file, the ransomware appends the extension .enc to the existing extension of the file. For example, changes.txt is encrypted and then renamed to changes.txt.enc. Prestige uses the following two commands to register a custom file extension handler for files with .enc file extension:

Screenshot of command lines.
Screenshot of the Registry Editor displaying the custom file extension handler.
Custom file extension handler for files with .enc extension

As a result of creating the custom file extension handler, when any file carrying the file extension .enc (i.e., encrypted by Prestige) is opened by a user, the file extension handler uses Notepad to open C:\Users\Public\README, which contains the ransom note.

To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. During the encryption process, the following hardcoded RSA X509 public key is used by one version of the ransomware (each version of Prestige may carry a unique public key):

Screenshot of a public key.

To hinder system and file recovery, Prestige runs the following command to delete the backup catalog from the system:

Screenshot of command for deleting the backup catalog

Prestige also runs the following command to delete all volume shadow copies on the system:

Screenshot of command to delete shadow copies

Before running the commands above, the 32-bit version of Prestige calls the function Wow64DisableWow64FsRedirection() to disable file system redirection and gain access to the native System32 directory. After running the commands above, Prestige restores file system redirection by calling the function Wow64RevertWow64FsRedirection().

Microsoft will continue to monitor IRIDIUM activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.

Looking forward

The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats.

Recommended customer actions

The ransomware payload was deployed by the actor after an initial compromise that involved gaining access to highly privileged credentials. The techniques used by the actor and described in the “Observed Actor Activity” section can be mitigated by adopting the security considerations provided below:

Indicators of compromise (IOCs)

The following table lists the IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescription
5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91dSHA-256Prestige ransomware payload
5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57SHA-256Prestige ransomware payload
6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39cSHA-256Prestige ransomware payload
a32bbc5df4195de63ea06feb46cd6b55Import hashUnique PE Import Hash shared by ransomware payloads
C:\Users\Public\READMEFile pathFile path of the ransom note

NOTE: These indicators should not be considered exhaustive for this observed activity.

Detections

Microsoft 365 Defender

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects known Prestige ransomware payloads with the following detection:

Microsoft Defender for Endpoint 

Microsoft Defender for Endpoint provides alerts for the indicators used by IRIDIUM discussed above.

Microsoft Defender for Endpoint also provides alerts for the pre-ransom techniques discussed above.

Customers should act on these alerts as they indicate hands-on-keyboard attacks. NOTE: These alerts are not uniquely tied to the Prestige ransomware nor to the campaign discussed.

Advanced hunting queries

Microsoft Sentinel

Prestige ransomware file hashes

This query looks for file hashes and Microsoft Defender Antivirus detections associated with Prestige ransomware payload.

Microsoft 365 Defender

Impacket WMIexec usage

This query surfaces Impacket WMIexec usage on a device:

DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all (@" 1> \127.0.0.1\", "/Q ", "/c ", @" 2>&1")
| where InitiatingProcessFileName =~ "WmiPrvSE.exe"

This query has the same purpose as above, but it also groups all the commands launched using Impacket WMIexec on the device:

DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all (@" 1> \127.0.0.1\", "/Q ", "/c ", @" 2>&1")
| where InitiatingProcessFileName =~ "WmiPrvSE.exe"
| project DeviceName, DeviceId, Timestamp, ProcessCommandLine
| summarize make_set(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId, DeviceName

LSASS process memory dumping

This query surfaces attempts to dump the LSASS process memory comsvcs.dll:

let startTime = ago(7d);
let endTime = now();
DeviceProcessEvents
| where Timestamp between (startTime..endTime)
| where FileName =~ 'rundll32.exe'
and ProcessCommandLine has 'comsvcs.dll'
and ProcessCommandLine has_any ('full','MiniDump')
| where not (ProcessCommandLine matches regex @'{[\w\d]{8}-[\w\d]{4}-[\w\d]{4}-[\w\d]{4}-[\w\d]{12}}'
and ProcessCommandLine matches regex @'(\d{2}_){3}' )