The new “Prestige” ransomware target the organizations in Ukraine and Poland

The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland, using a previously unidentified ransomware payload. We observed that this new ransomware, which calls itself "Prestige ranusomware" in its ransom note, was used in attacks on October 11, which were carried out on all victims within an hour.

This campaign had several notable characteristics that set it apart from other ransomware campaigns tracked by Microsoft: Enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not associated with any of the 94 currently active ransomware activity groups that Microsoft is tracking Prestige ransomware was not observed by Microsoft prior to this deployment. The activity shares victimology with recent Russian state-aligned activities, particularly in affected regions and countries, and overlaps with previous victims of the FoxBlade malware (aka HermeticWiper). Despite using similar deployment techniques, the campaign differs from recent destructive attacks utilizing AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have hit several critical infrastructure organizations in Ukraine over the past two weeks. MSTIC has not yet linked this ransomware campaign to any known threat group and is continuing the investigation. MSTIC tracks this activity as DEV-0960.

Microsoft uses DEV-#### labels as temporary names for unknown, emerging, or evolving clusters of threat activity, allowing MSTIC to track them as a unique set of information until we reach high confidence in the origin or identity of the actor behind the activity . Once it meets the criteria, a DEV will be promoted to a named actor or merged with existing actors. This blog aims to provide Microsoft customers and the wider security community with awareness and indicators of compromise (IOCs). Microsoft continues to monitor this and is in the process of providing early notification to customers affected by DEV-0960 but not yet redeemed. MSTIC is also actively working with the broader security community and other strategic partners to share intelligence that can help address this evolving threat across multiple channels. We strongly recommend to use of the antimalware solution.