Prestige Ransomware

Prestige Ransomware

Introduction: Prestige Ransomware, emerging in October 2022, is a sophisticated threat known for its targeted campaigns primarily directed at entities in Poland and Ukraine. This analysis provides a comprehensive overview of Prestige Ransomware, detailing its targets, spreading mechanisms, technical intricacies, detection strategies, and mitigation measures.

Prestige Ransomware Overview:

  • Emergence:
    • First observed in October 2022.
    • Initial footholds often acquired through the use of Commercial Off-The-Shelf (COTS) or Living Off The Land Binaries (LOLBINs).

Targets:

  • Geographical Focus:
    • Predominantly targets entities in Poland and Ukraine.
    • Early campaigns were specifically aimed at these regions.

Spread Mechanisms:

  • Infection Vectors:
    • Utilizes phishing and spear phishing emails for initial infection.
    • Exploits third-party frameworks such as Empire, Metasploit, and Cobalt Strike for lateral movement.

Technical Details:

  • Campaign Characteristics:
    • Multiple targeted attacks observed in Poland and Ukraine.
    • Initial footholds obtained through COTS or LOLBINs like Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS.
    • File Encryption: The malware locates files meeting specified criteria for encryption, marked with a “.enc” extension.
    • Registry Modification: Registers a custom file handler via registry.
    • Data Deletion: Attempts to delete Volume Shadow Copies and the local Backup Catalog using wbadmin.exe.
    • Spreading Mechanism: Prefers ADMIN$ when spreading to adjacent hosts.
    • Payload Distribution: Copies of the payload written to remote hosts, launched via scheduled tasks created through Impacket.

Detection Strategies:

  • The EDR Endpoint Protection Platform is adept at detecting and preventing malicious behaviors and artifacts associated with Prestige ransomware.

Mitigation Measures:

  • The EDR Endpoint Protection Platform offers restoration capabilities, returning systems to their pre-infection state through Repair or Rollback features.

Removal Process:

  • EDR customers are shielded from Prestige ransomware, with no manual updates required. In cases where the policy was set to Detect Only and a device is infected, EDR ‘s unique rollback capability removes the infection and restores files to their original state.

Incident Response:

  1. Detection:
    • Identify signs of Prestige ransomware through security tools and network monitoring.
  2. Isolation:
    • Disconnect infected devices from the network to prevent further spread.
  3. Removal:
    • Run a malware scan using anti-malware tools to eliminate the Prestige ransomware.
  4. Restoration:
    • Restore encrypted files from backups for data recovery.
  5. Expert Consultation:
    • Seek assistance from security experts for a comprehensive assessment and prevention of future attacks.

Proactive security measures, ongoing training, and robust backup strategies play a pivotal role in mitigating the risk of Prestige ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved