Microsoft’s Threat Intelligence Center (MSTIC) research team has detected a never-before-seen ransomware strain called “Prestige” that attacks organizations in the transportation and related logistics industries in Ukraine and Poland.

The new ransomware was first deployed on October 11, in attacks that occurred within an hour across all victims. Microsoft says that the observed activity was not connected to any of the 94 currently active ransomware gangs tracked by the tech giant. It shares victimology with recent Russian state-linked activity and overlaps with previous victims of the FoxBlade malware (aka HermeticWiper).

“Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” Microsoft’s reports said.

MSTIC has yet to attribute the activity it is temporarily tracking as DEV-0960 to any known threat actor.

In the preliminary stage of the attack the threat actor used two remote execution tools - RemoteExec, a commercially available tool for agentless remote code execution, and the open-source tool called Impacket WMIexec. The attacker then used winPEAS, comsvcs.dll, and ntdsutil.exe utilities to gain access to highly privileged credentials.

“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances it’s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload,” Microsoft explained.

MSTIC’s report describes the following three methods used for Prestige ransomware deployment:

Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload

Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload

Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object

Additional technical details along with Indicators of Compromise (IoCs) related to the Prestige ransomware attacks can be found here.