On October 11, a new ransomware campaign known as Prestige targeted Ukraine and Poland’s logistics and transportation sectors. “The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper),” stated the Microsoft Threat Intelligence Center (MSTIC). The company said the intrusions happened within an hour of each other across all victims and connected the infections to an unknown cluster known as DEV-0960. They did not specify the scale of the attacks but stated that they informed all impacted customers. The campaign is also believed to be distinct from other recent destructive attacks involving the use of HermeticWiper and CaddyWiper, the latter launched by a malware loader called ArguePatch (aka AprilAxe). Microsoft reports that the threat actor had already secured privileged access to the compromised environments to spread the ransomware via three different methods. However, the initial access method is still unknown. In a related development, Fortinet FortiGuard Labs revealed a multi-stage attack chain that uses a weaponized Microsoft Excel spreadsheet to deliver Cobalt Strike Beacon. The spreadsheet is masked as a spreadsheet for calculating wages for Ukrainian military troops. “The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed,” stated Redmond. The findings match with an explosion of relatively recent ransomware strains that have been gaining ground on the threat environment over the past several months, including Bisamware, Chile Locker, Royal, and Ransom Cartel.
Prestige Ransomware Targets Organizations in Ukraine and Poland￼
The mid-December 2021 appearance of Ransom Cartel is important because it shares technological similarities with REvil ransomware, which was shut down in October 2021 after intense law enforcement scrutiny into its activities following a succession of high-profile attacks on JBS and Kaseya. “Ransom Cartel operators had access to earlier versions of REvil ransomware source code. There was a relationship between the groups at some point, though it may not have been recent,” stated Palo Alto Networks Unit 42. Russian police arrested members of REvil gang, but there are signs that the group may return in some form. A “disgruntled internal source” from the organization gave information regarding the adversary’s Tactics, Techniques, and Procedures (TTPs), providing a critical understanding of the “relationships and inner workings of REvil and its members,” according to cybersecurity firm Trellix in late September. It is not only REvil that has returned to the ransomware radar. Last week, HP Wolf Security reported isolating a Magniber operation that had been discovered to target Windows home users with fake security updates that spread the file-encrypting malware.