Organizations previously affected by the HermeticWiper malware were reportedly threatened by ransomware unleashed this month targeting the transport and logistics industries in Ukraine and Poland.
Although there is an overlap in victims, according to researchers at the Microsoft Threat Intelligence Center (MSTIC), it is unclear whether this prestige ransomware and HermeticWiper are controlled by the same masterminds.
“Despite using similar deployment techniques, the [Prestige] Campaign differs from recent destructive attacks utilizing AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have hit several critical infrastructure organizations in Ukraine over the past two weeks,” the researchers wrote in a blog post. “MSTIC has not yet linked this ransomware campaign to any known threat group and is continuing the investigation.”
The Microsoft team is tracking Prestige as DEV-0960. MSTIC uses the DEV label for emerging threats whose identity the attacker has not yet identified.
Prestige – so named because it refers to itself as “Prestige ranusomware” in queries on infected Windows PCs – was observed on October 11th targeting companies consecutively within an hour using three delivery methods.
HermeticWiper, as the name suggests, is designed to wipe a victim’s Windows computer as soon as it’s running, and its makers and masters are said to be affiliated or allied with the Kremlin: it hit Ukraine one for the first time day before the Russian invasion. Since Putin’s war against Ukraine began in February, hard drive erasing malware has proliferated.
“The threat landscape in Ukraine is evolving, and wipers and destructive attacks have been a constant theme,” the MSTIC team noted. “Ransomware and wiper attacks rely on many of the same vulnerabilities to succeed.”
It is not yet clear how victims’ networks were compromised by the extortionists in order to run their file-encrypting malware. However, before the intruders deployed Prestige, they were said to have had control of the systems through two remote execution tools, the commercially available RemoteExec and the open-source impacket WMIexec.
In addition, they used three tools against some victims to escalate privileges within a network. These include winPEAS, a collection of open-source privilege escalation scripts on Windows systems, and comsvcs.dll for dumping memory of the operating system’s Local Security Authority Subsystem Service process to steal credentials.
The third tool – ntdsutil.exe – is used to backup the Active Directory (AD) database from which credentials can be collected.
After that, the ransomware was deployed. In each case, the attackers had gained access to highly privileged credentials, including domain admin, to spread their document encryption key.
Most ransomware operators tend to use a one-size-fits-all approach for each victim unless a security configuration forces a change of plan. However, in the case of Prestige, the method used varied from target to target.
“This is particularly notable given that the ransomware installations all occurred within an hour,” the researchers wrote.
Two infection methods involve copying the ransomware payload to a remote system’s ADMIN$ share. Then, in one case, Impacket creates a Windows scheduled task on the victim’s system to run the payload. The other method uses Impacket to remotely invoke an encrypted PowerShell command on the system to launch the payload.
In the third method, the ransomware payload is copied to an AD domain controller and deployed to target systems using the default domain GPO.
The ransomware, equipped with administrator privileges, then encrypted files if they matched a list of extensions. Also, encryption of files in the Windows and ProgramData\Windows directories has been avoided.
According to Microsoft, steps can now be taken to stop this type of lateral movement, including blocking process creations originating from PSExec and WMI commands. It is also recommended to enable tamper protection to prevent malware from interfering with Microsoft Defender and enable cloud protection in Defender Antivirus or competing antivirus tools. ®
https://www.theregister.com/2022/10/18/prestige_ransomware_microsoft_ukraine/ Prestige ransomware hits victims of HermeticWiper • The Register