Imagine surviving a wiper attack only for ransomware to scramble your restored files

Organizations hit earlier by the HermeticWiper malware have reportedly been menaced by ransomware unleashed this month against transportation and logistics industries in Ukraine and Poland.

Though there is an overlap in victims, it's unclear whether this Prestige ransomware and HermeticWiper are controlled by the same masterminds, according to researchers at the Microsoft Threat Intelligence Center (MSTIC).

"Despite using similar deployment techniques, the [Prestige] campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks," the researchers wrote in a blog post. "MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations."

The Microsoft team is tracking Prestige as DEV-0960. MSTIC uses the DEV label for emerging threats of which the attackers' identity has not yet been determined.

Prestige – so named because it calls itself "Prestige ranusomeware" in demands left on infected Windows PCs – was seen targeting organizations within an hour of each other October 11, using three deployment methods.

HermeticWiper, as the name suggests, is designed to erase a victim's Windows computer once running on it, and its makers and masters are thought to be linked or aligned to the Kremlin: it first hit Ukraine one day before Russia's invasion. Disk-wiping malware has surged since Putin's war on Ukraine began in February.

"The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme," the MSTIC team noted. "Ransomware and wiper attacks rely on many of the same security weaknesses to succeed."

• US election workers slammed with phishing, malware-stuffed emails
• Data-wiper malware strains surge as Ukraine battles ongoing invasion
• The Windows malware on Ukraine CERT's radar
• Where are the (serious) Russian cyberattacks?

It's not yet clear how victims' networks were compromised by the extortionists to run their file-scrambling malware. Before the intruders deployed Prestige, though, they were said to be in control of the systems via two remote-execution tools, the commercially available RemoteExec, and the open-source Impacket WMIexec.

In addition, they used three tools against some victims to escalate privileges once inside a network. Those include winPEAS, which is a collection of open-source scripts for privilege escalation on Windows systems, and comsvcs.dll for dumping the memory of the operating system's Local Security Authority Subsystem Service process to steal credentials.

The third tool – ntdsutil.exe – is used to back up the Active Directory (AD) database, from which credentials could be harvested.

After that, the ransomware was deployed. In each case, the attackers had gained access to highly privileged credentials, including Domain Admin, to spread their document-encrypting code.

Most ransomware operators tend to use a consistent approach for every victim unless a security configuration forces a change of plan. However, in the case of Prestige, the method used varied from target to target.

"This is especially notable as the ransomware deployments all occurred within one hour," the researchers wrote.

In two methods of infection, the ransomware payload is copied to the ADMIN$ share of a remote system. Then in one, Impacket creates a Windows Scheduled Task on the victim's system to execute the payload. In the other method, Impacket is used to remotely invoke an encoded PowerShell command on the system to launch the payload.

With the third technique, the ransomware payload is copied to an AD Domain Controller and deployed to targeted systems using the Default Domain Group Policy Object.

The ransomware, armed with administrative privileges, then encrypted files if they matched a list of extensions. It also avoided encrypting files in the Windows and ProgramData\Windows directories.

There are, according to Microsoft, steps that can be taken now, including blocking process creations coming from PSExec and WMI command, to stop this kind of lateral movement. Enabling tamper protection to keep malware from interfering with Microsoft Defender, and turning on the cloud protection in Defender Antivirus or competing antivirus tools, is also recommended. ®