Microsoft: New ‘Prestige’ Ransomware Targets Private Businesses In Poland, Ukraine

Attacks utilized stolen AD credentials to hit sensitive transportation and logistics sector, Microsoft says.


Microsoft has issued a warning about a new ransomware strain that’s targeting private companies within the transportation and logistics industry in Poland and Ukraine, a development that could have far-reaching implications if the strain spreads to businesses in other countries.

In a blog post, the Microsoft Threat Intelligence Center (MSTIC) stopped short of saying that “Prestige,” as attackers have referred to the strain in recent ransom notes, is a nation-state-connected assault on businesses.

But MSTIC said in its blog post that the “activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).”

Sponsored post

[RELATED STORY: Microsoft Ignite 2022: Top Security Announcements]

The previously unidentified “Prestige” appears to be operating independently of known bad-actor groups across the world, said Microsoft, which is internally referring to the strain as “Dev-0960” until it gathers more information.

Most of the recent attacks seem to involve the theft of Active Directory admin account credentials, sometimes “highly privileged credentials,” as Microsoft described them.

Following Russia’s invasion of Ukraine in early 2022, Microsoft has identified a number of cyberattacks by known actors on Ukraine’s public utilities and other government-related entities.

But “Prestige” appears to be primarily targeting private companies –specifically, private-sector transportation and logistics firms in Ukraine and Poland – and that makes it distinct, Microsoft’s threat team said.

“The enterprise-wide deployment of ransomware (was previously) not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks,” MSTIC said in its blog post.

Since the outbreak of the Russo-Ukrainian war, the U.S. government has been nervous about similar cyberattacks against U.S. companies, with the White House earlier this year warning firms to be on guard for possible Russian-backed cyberthreats.

Regarding the “Prestige” attacks, Microsoft reported: “We observed this new ransomware, which labels itself in its ransom note as ‘Prestige ranusomeware’, being deployed on October 11 in attacks occurring within an hour of each other across all victims.”

MSTIC added: “In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload.”

In an interview with CRN, Sharon Wagner, CEO of Cybersixgill, a threat intelligence firm based in Tel Aviv, Israel, said it’s too early to tell how big of a threat the “Prestige” strain is to companies across the globe. “We are looking into it right now,” he said.

But he added: “We see a significant uptick in conversations, mentions and discussions around this topic, which will typically indicate that it‘s more severe than others.”

He said the amount of behind-the-scenes chatter suggests it could be a major problem, but he emphasized more information and data about “Prestige” is needed before firm conclusions can be reached.

Though much still needs to be learned about the new ransomware strain, the fact that it can gain access to systems via stolen AD account credentials could heighten debate over the quality of security systems – and particularly Microsoft’s own security features.

At a recent Best of Breed conference hosted by The Channel Company, CrowdStrike CEO George Kurtz blasted Microsoft’s overall security offerings, comparing them collectively to a “leaky lifeboat” and taking specific aim at identity-related breaches involving Microsoft.

In reaction to Kurtz’s comments last week in Atlanta, Microsoft defended its overall security posture and dismissed Kurtz’s barbs as “innuendo and self-serving claims.”