• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft Discovers Novel, Previously Unidentified Ransomware Strain

A novel ransomware campaign targeting organizations in Ukraine has been observed by Microsoft for the first time.

October 17, 2022 Zachary Comeau Leave a Comment

Andrey Popov/stock.adobe.com

Microsoft is warning of a “novel” ransomware campaign targeting organizations in Ukraine and Poland leveraging a previously unidentified payload that was deployed in attacks just last week.

According to the Redmond, Wash. IT giant, the new ransomware labels itself as “Prestige ranusomeware” and features an enterprise-wide deployment model that is not common in attacks seen in Ukraine thus far. In addition, this activity does not appear to be connected to any of the 90-plus ransomware activity groups that Microsoft tracks.

In fact, this is the first time Microsoft has ever observed this ransomware strain in the wild.

The company says the activity shares some similarities with Russian state-aligned activity since its victims are Russia’s adversaries. Additionally, some of the victims of the ransomware overlap with victims of FoxBlade, a destructive malware deployed against Ukraine also known as HermeticWiper. Like other mass-deployment ransomware campaigns, the attacks all occurred within an hour of each other across all victims, Microsoft says.

However, this campaign is much different from recent wiper attacks that have impacted multiple critical infrastructure organizations in Ukraine, and it’s unclear which threat group is behind these ransomware attacks.

According to Microsoft, the threat actor behind these attacks uses two widely available remote execution tools, including the commercially available RemoteExec for agentless remote code execution and the open-source script-based remote code execution tool Impacket WMIExec.

To gain access to highly privileged credentials, the attackers use three main tools for privilege escalation and credential extraction, including:

  • winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
  • comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
  • ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials

In all deployments observed by Microsoft, the attacker already had advanced privileges, including Domain Admin. Administrator privileges are required to run the ransomware. However, an initial access vector has not yet been identified, suggesting the threat actor had access from a prior compromise.

Also different with this ransomware campaign is the difference in methods used to deploy the ransomware.

In one method, the payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload. In another, the ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload. Another deployment leverages an Active Directory Domain Controller and the Default Domain Group Policy Object.

Like other ransomware, Prestige attempts to stop the MSSQL Windows service to ensure successful encryption using the command C:\Windows\System32\net.exe stop MSSQLSERVER. The ransomware creates C:\Users\Public\README and stores the ransom note in the file. The same file is also created in the root directory of each drive, Microsoft says.

The ransomware then traverses the files on the file system and encrypts the contents of files while avoiding encrypting files in the C:\Windows\ and C:\ProgramData\Microsoft\ directories, according to the company.

To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. After encrypting each file, the ransomware appends the extension .enc to the existing extension of the file. For example, changes.txt is encrypted and then renamed to changes.txt.enc, Microsoft security experts say.

The ransomware then runs other commands to delete the backup catalog form the system to hinder system and file recovery, and also deletes all volume shadow copies on the system.

In addition to using multifactor authentication and enabling tamper protection and cloud-delivered protection in Microsoft Defender, Microsoft suggests blocking process creations originating from PSExec and WMI commands.

Read Microsoft’s blog on the Prestige ransomware for more information, including indicators of compromise, detections and advanced hunting queries.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft, ransomware, Russia, Ukraine

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.