[MART] - Daily Diary #614 - Prestige, A New Ransomware

ctas-mat at appgate.com ctas-mat at appgate.com
Fri Oct 14 22:32:56 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/14/2022 - Diary entry #614:

A new ransomware named Prestige was recently discovered in attacks detected within an hour of each other, impacting organizations in Ukraine and Poland. First deployed on October 11, the threat’s activity overlaps with previous victims of the FoxBlade malware, also known as HermeticWiper, a very dangerous kind of malware used for erasing data or making devices unusable (covered in our Daily Diary #462).

Tracked as DEV-0960, the group responsible for deploying the ransomware was observed using RemoteExec and Impacket WMIexec, both are open-source remote code execution tools. To escalate privileges, move laterally, and deploy the ransomware, they used winPEAS, an open-source collection of scripts, and tools to back up the Active Directory database and dump credentials from the LSASS process.

Before encrypting files, the ransomware payload stops the MSSQL Windows service to avoid interruption during the encryption process and then starts encrypting all files using AES (from the CryptoPP C++ library). After encrypting each file, the extension ”.enc” is then appended to the original file name and a ransom note is dropped on each folder.

Additionally, it deletes the Windows backup catalog and the shadow copies and registers a custom file extension handler for files with the “.enc“ extension. When the victim doubles-click an encrypted file, it opens the ransom note on the notepad. To contact the criminals and get the data back, the ransom note provides the email address “Prestige.ranusomeware at Proton.me“ [sic].

After being attacked by the HermeticWiper malware, Ukrainian organizations are now also impacted by this new ransomware. It’s still unclear if this ransomware strain is strictly politically motivated but either way, organizations around the globe should prepare and defend against this new adversary.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



MART

Malware Analysis and Research Team

Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221014/9feefbd0/attachment.htm>

More information about the MART mailing list