On October 11, a new ransomware campaign known as Prestige targeted Ukraine and Poland’s logistics and transportation sectors. “The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper),” stated the Microsoft Threat Intelligence Center (MSTIC). The company said the intrusions happened within an hour of each other across all victims and connected the infections to an unknown cluster known as DEV-0960. They did not specify the scale of the attacks but stated that they informed all impacted customers. The campaign is also believed to be distinct from other recent destructive attacks involving the use of HermeticWiper and CaddyWiper, the latter launched by a malware loader called ArguePatch (aka AprilAxe). Microsoft reports that the threat actor had already secured privileged access to the compromised environments to spread the ransomware via three different methods. However, the initial access method is still unknown. In a related development, Fortinet FortiGuard Labs revealed a multi-stage attack chain that uses a weaponized Microsoft Excel spreadsheet to deliver Cobalt Strike Beacon. The spreadsheet is masked as a spreadsheet for calculating wages for Ukrainian military troops. “The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed,” stated Redmond. The findings match with an explosion of relatively recent ransomware strains that have been gaining ground on the threat environment over the past several months, including Bisamware, Chile Locker, Royal, and Ransom Cartel.