Novel ransomware campaign targeting organizations in Ukraine and Poland
Microsoft has identified a new ransomware campaign targeting organizations in Ukraine and Poland. This new ransomware labelled as "Prestige ranusomeware" is targeting organizations in the transportation and related logistics industries in these countries, according to the Microsoft Threat Intelligence Center (MSTIC) team.
While the ransomware campaign has not yet been linked to a known threat group, MSTIC is tracking it as DEV-0960. Microsoft said that it continues to monitor this and is in the process of early notification to customers impacted by this ransomware campaign but not yet ransomed.
MSTIC highlighted the following new features of the new Prestige ransomware that differentiate it from other Microsoft-tracked ransomware campaigns:
- The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks
- This ransomware had not been observed by Microsoft prior to this deployment
- The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)
According to Microsoft, prior to deploying ransomware, two remote execution utilities - RemoteExec and Impacket WMIexec - are used. For privilege escalation and credential extraction, DEV-0960 used tools including winPEAS, comsvcs.dll and ntdsutil.exe.
"In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances, it's possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise," Microsoft wrote in a blog post.
Microsoft recommends the following customer actions to mitigate the techniques used by the actor:
- Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket.
- Enable Tamper protection to prevent attacks from stopping or interfering with Microsoft Defender.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity, including VPNs.