Summary
In October 2022, a novel ransomware named Prestige was found targeting logistics and transportation sectors in Ukraine and Poland. According to Microsoft, victims affected by Prestige overlap with previous victims targeted by HermeticWiper, spotted in February 2022.
The research also shows that the attackers deployed the ransomware within an hour between all victims, abusing highly privileged domain credentials to deploy the payload. Prestige also appeared among the top five ransomware families blocked by Netskope in October 2022.
In November 2022, a new research linked Prestige ransomware with a Russian-based threat actor known as IRIDIUM, which overlaps with Sandworm, another threat group that is linked to destructive attacks since the war started in Ukraine. In this blog post, we will show how Prestige ransomware works.
Analysis
The sample we analyzed was likely compiled on October 7, 2022 and it’s written in C/C++.
Once executed, Prestige creates its ransom note named “README” in the “C:\Users\Public” folder. The note is also created in folders where there are files encrypted by this ransomware.
Prestige then modifies the Windows registry to make notepad open the ransom note every time an “.enc” file is opened, using the following commands:
- C:\Windows\System32\reg.exe add HKCR\.enc /ve /t REG_SZ /d enc /f
- C:\Windows\System32\reg.exe add HKCR\enc\shell\open\command /ve /t REG_SZ /d \”C:\Windows\Notepad.exe C:\Users\Public\README\” /f
Prestige tries to stop the MSSQL Windows service to avoid issues during the encryption of the files, by running the following command:
- C:\Windows\System32\net.exe stop MSSQLSERVER