Microsoft hasn’t seen the attackers use a specific software exploit but all the attacks utilize stolen Active Directory admin account credentials. The ransom note identifies itself as being “Prestige ranusomeware”, according to the the Microsoft Threat Intelligence Center (MSTIC). The ransomware was launched on October 11 and stood out to researchers because it was a rare example in Ukraine of an enterprise-wide ransomware deployment and was distinct from 94 other ransomware gangs Microsoft is tracking. Also: Ransomware: Why it’s still a big threat, and where the gangs are going next Also, the victim profiles align with recent Russia state-aligned activity and overlaps with victims of the HermeticWiper destructive malware that was deployed at the outset of Russia’s invasion of Ukraine. The US government in February was worried the same malware could be used against US organizations. But MSTIC says the Prestige campaign is separate from HermeticWiper and other destructive malware that has been deployed at multiple Ukraine critical infrastructure operators in the past two weeks. Microsoft has been tracking destructive malware deployed against Ukraine organizations since January. MSTIC is tracking this activity as DEV-0960. DEV is its term for previously unidentified threat actors. It will merge the group’s activity with known threat actors, such as Nobelium, which is the group behind the SolarWinds supply chain attack, if it establishes a connection to a particular group. The group uses several publicly available tools for remote-code execution and grabbing high-privilege administrator credentials. But MSTIC doesn’t know how the attackers are gaining initial access to networks. It suspects the attackers already had privileged credentials from previous compromises. In all cases, however the actors gained access, they already had domain admin-level rights prior to deploying the ransomware. Microsoft outlines three key methods the group used within one hour of each attack. The fact that they used multiple methods, rather than one, was unusual. “Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred method,” MSTIC explains. “For this DEV-0960 activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour.” Given the lack of a known software vulnerability the attackers are using, Microsoft has provided several actions organizations can use to to protect themselves, including by enabling tamper protection – to stop alterations to antivirus – and to enable multi-factor authentication. The mitigations include:
Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of ImpacketEnable Tamper protection to prevent attacks from stopping or interfering with Microsoft DefenderTurn on cloud-delivered protection in Microsoft Defender Antivirus or its equivalent Enable MFA and ensure that MFA is enforced for all remote connectivity – including VPNs
“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed,” Microsoft warned.