The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Prestige is a new ransomware targeting Ukraine and Poland. Microsoft MSTIC cybersecurity experts: The targets are organizations in the transportation and related logistics industries in both countries
Prestige is a new ransomware targeting Ukraine and Poland. Microsoft Threat Intelligence Center (MSTIC) cybersecurity experts discovered this. The targets are organizations in the transportation and related logistics industries in both countries. The malware has been deployed on October 11 in attacks occurring within an hour of each other across all victims. The campaign had several notable features that differentiate it from others:
- The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that researchers track;
- The Prestige ransomware had not been observed prior to this deployment:
- The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper).
Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations.