Prestige ransomware marks dangerous shift in strategy for threat actor Microsoft says [299 words].
What: Security researchers at Microsoft have spotted Russia-based threat group Iridium dropping a new ransomware payload dubbed “Prestige” on systems belonging to organizations in Ukraine and Poland. The Prestige campaign marks a broadening of focus for Iridium from its usual destructive attacks on targets in Ukraine, to more financially motivated attacks.
Microsoft said its researchers had observed Iridium actors using the commercially available RemoteExec and open-source Impacker WMIexec tools for remote code execution on target systems prior to deploying Prestige ransomware. The attackers choice of tools for accessing privileged credentials, credential extraction and privilege escalation for the campaign include: winPEAS –for privilege escalation on Windows; comsvcs.dll for credential dumping; and ntdsutil.exe to back up the Active Directory database likely for future use.
How: In all instances where Iridum managed to deploy Prestige ransomware in a victim environment the threat actor had already obtained access to Domain Admin or similarly privileged credentials. Microsoft has not been able to determine the initial access vector in these attacks.
Somewhat unusually, though Iridium deployed Prestige ransomware across multiple target networks in a short span of time, the threat actor used three separate methods for deploying it.
- The ransomware payload was copied to the ADMIN$ share of a remote system, and Impacket was used to remotely create a Windows Scheduled Task to execute the payload on target systems.
- The ransomware payload was copied to ADMIN$ share of a remote system and Impacket was used to remotely invoke an encoded PowerShell command on target systems
- The ransomware payload was copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object
More:
Technical details, IOCs and Microsoft’s recommended actions.
