Several organizations in Ukraine and Poland have become the target of targeted attacks with a new ransomware copy called Prestige, Microsoft claims. The attack took place on October 11, with all victims being hit within an hour of each other. According to Microsoft, this ransomware attack is different from other attacks.
The affected organizations are active in the transport sector and related logistics industries in Ukraine and Poland. Microsoft states that there is an overlap with organizations that were victims of attacks with wiper malware earlier this year. It is not known how the attackers managed to gain access to the networks of the affected organizations. Once active, the attackers deleted the backup catalog from the system, as well as all volume shadow copies. This should prevent recovery of encrypted files.
In the attacks, the attackers used, among other things, RemoteExec and Impacket WMIexec for remote code execution. Organizations seeking to protect against the attacks are recommended, among other things, to block processes originating from PSExec and WMI commands, in order to stop lateral movements via the WMIexec component of Impacket. Furthermore, enabling the Tamper protection of Microsoft Defender is advised.