{ "id": "775088d2-e2bf-4e5a-a4c1-fa101d070a57", "created_at": "2026-04-06T01:31:28.169357Z", "updated_at": "2026-04-10T03:37:09.283016Z", "deleted_at": null, "sha1_hash": "025a79c933be737c476e0cd8ea5a41df9ddb4e56", "title": "New “Prestige” ransomware impacts organizations in Ukraine and Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 667306, "plain_text": "New “Prestige” ransomware impacts organizations in Ukraine and\r\nPoland\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-10-14 · Archived: 2026-04-06 00:42:50 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. IRIDIUM is now tracked as Seashell Blizzard.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nNovember 10, 2022 update: MSTIC has updated this blog to document assessed attribution of DEV-0960 as\r\nIRIDIUM, the actor that executed the Prestige ransomware-style attacks.\r\nThe Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign\r\ntargeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a\r\npreviously unidentified ransomware payload. We observed this new ransomware, which labels itself in its ransom\r\nnote as “Prestige ranusomeware”, being deployed on October 11 in attacks occurring within an hour of each other\r\nacross all victims.\r\nAttribution to IRIDIUM\r\nAs of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack.\r\nIRIDIUM is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been\r\nconsistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war. This\r\nattribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and\r\ninfrastructure, with known IRIDIUM activity. Review of technical artifacts available to Microsoft links IRIDIUM\r\nto interactive compromise activity at multiple Prestige victims as far back as March 2022 and continuing within\r\nthe week leading up to the October 2022 attack discussed in the blog below.\r\nThe Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling\r\nincreased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine.\r\nMore broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the\r\nRussian state to be providing support relating to the war.\r\nMicrosoft would like to acknowledge CERT UA for their cooperation and information sharing to assist in our\r\ninvestigations. CERT UA continues to demonstrate incredible resolve and commitment to security despite physical\r\ndanger.\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 1 of 9\n\nObserved actor activity\r\nThis ransomware campaign had several notable features that differentiate it from other Microsoft-tracked\r\nransomware campaigns:\r\nThe enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not\r\nconnected to any of the 94 currently active ransomware activity groups that Microsoft tracks\r\nThe Prestige ransomware had not been observed by Microsoft prior to this deployment\r\nThe activity shares victimology with recent Russian state-aligned activity, specifically on affected\r\ngeographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as\r\nHermeticWiper)\r\nDespite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging\r\nAprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical\r\ninfrastructure organizations in Ukraine over the last two weeks. MSTIC has not yet linked this ransomware\r\ncampaign to a known threat group and is continuing investigations. MSTIC is tracking this activity as IRIDIUM.\r\nThis blog aims to provide awareness and indicators of compromise (IOCs) to Microsoft customers and the larger\r\nsecurity community. Microsoft continues to monitor this and is in the process of early notification to customers\r\nimpacted by IRIDIUM but not yet ransomed. MSTIC is also actively working with the broader security\r\ncommunity and other strategic partners to share information that can help address this evolving threat through\r\nmultiple channels.\r\nPre-ransomware activities\r\nPrior to deploying ransomware, the IRIDIUM activity included the use of the following two remote execution\r\nutilities:\r\nRemoteExec – a commercially available tool for agentless remote code execution\r\nImpacket WMIexec – an open-source script-based solution for remote code execution\r\nTo gain access to highly privileged credentials, in some of the environments, IRIDIUM used these tools for\r\nprivilege escalation and credential extraction:\r\nwinPEAS – an open-source collection of scripts to perform privilege escalation on Windows\r\ncomsvcs.dll – used to dump the memory of the LSASS process and steal credentials\r\nntdsutil.exe – used to back up the Active Directory database, likely for later use credentials\r\nRansomware deployment\r\nIn all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain\r\nAdmin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in\r\nsome instances it’s possible that the attacker might have already had existing access to the highly privileged\r\ncredentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having\r\nDomain Admin-level access and staging their ransomware payload.\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 2 of 9\n\nMost ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and\r\nthis tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred\r\nmethod. For this IRIDIUM activity, the methods used to deploy the ransomware varied across the victim\r\nenvironments, but it does not appear to be due to security configurations preventing the attacker from using the\r\nsame techniques. This is especially notable as the ransomware deployments all occurred within one hour. The\r\ndistinct methods for ransomware deployment were:\r\nMethod 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is\r\nused to remotely create a Windows Scheduled Task on target systems to execute the payload\r\nMethod 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is\r\nused to remotely invoke an encoded PowerShell command on target systems to execute the payload\r\nMethod 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to\r\nsystems using the Default Domain Group Policy Object\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 3 of 9\n\nMalware analysis\r\nThe “Prestige” ransomware requires administrative privileges to run. Like many ransomware payloads, it attempts\r\nto stop the MSSQL Windows service to ensure successful encryption using the following command (the strings\r\n“C:\\Windows\\System32\\net.exe stop” and “MSSQLSERVER” are both hardcoded in the analyzed samples):\r\nPrestige creates C:\\Users\\Public\\README and stores the following ransom note in the file. The same file is also\r\ncreated in the root directory of each drive:\r\nPrestige ransom note\r\nPrestige then traverses the files on the file system and encrypts the contents of files that have one of the following\r\nhardcoded file extensions, avoiding encrypting files in the C:\\Windows\\ and C:\\ProgramData\\Microsoft\\\r\ndirectories:\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 4 of 9\n\nAfter encrypting each file, the ransomware appends the extension .enc to the existing extension of the file. For\r\nexample, changes.txt is encrypted and then renamed to changes.txt.enc. Prestige uses the following two\r\ncommands to register a custom file extension handler for files with .enc file extension:\r\nCustom file extension handler for files with .enc extension\r\nAs a result of creating the custom file extension handler, when any file carrying the file extension .enc (i.e.,\r\nencrypted by Prestige) is opened by a user, the file extension handler uses Notepad to open\r\nC:\\Users\\Public\\README, which contains the ransom note.\r\nTo encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. During the\r\nencryption process, the following hardcoded RSA X509 public key is used by one version of the ransomware\r\n(each version of Prestige may carry a unique public key):\r\nTo hinder system and file recovery, Prestige runs the following command to delete the backup catalog from the\r\nsystem:\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 5 of 9\n\nPrestige also runs the following command to delete all volume shadow copies on the system:\r\nBefore running the commands above, the 32-bit version of Prestige calls the function\r\nWow64DisableWow64FsRedirection() to disable file system redirection and gain access to the native System32\r\ndirectory. After running the commands above, Prestige restores file system redirection by calling the function\r\nWow64RevertWow64FsRedirection().\r\nMicrosoft will continue to monitor IRIDIUM activity and implement protections for our customers. The current\r\ndetections, advanced detections, and IOCs in place across our security products are detailed below.\r\nLooking forward\r\nThe threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent\r\ntheme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation\r\nevolves, organizations can adopt the hardening guidance below to help build more robust defenses against these\r\nthreats.\r\nRecommended customer actions\r\nThe ransomware payload was deployed by the actor after an initial compromise that involved gaining access to\r\nhighly privileged credentials. The techniques used by the actor and described in the “Observed Actor Activity”\r\nsection can be mitigated by adopting the security considerations provided below:\r\nBlock process creations originating from PSExec and WMI commands to stop lateral movement utilizing\r\nthe WMIexec component of Impacket.\r\nEnable Tamper protection to prevent attacks from stopping or interfering with Microsoft Defender.\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a huge majority of new and unknown variants.\r\nWhile this attack differs from traditional ransomware, following our defending against ransomware\r\nguidance helps protect against the credential theft, lateral movement, and ransomware deployment used by\r\nIRIDIUM.\r\nUse the included indicators of compromise to investigate whether they exist in your environment and\r\nassess for potential intrusion.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that\r\nMFA is enforced for all remote connectivity, including VPNs. Microsoft strongly encourages all customers\r\ndownload and use password-less solutions like Microsoft Authenticator to secure your accounts.\r\nIndicators of compromise (IOCs)\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 6 of 9\n\nThe following table lists the IOCs observed during our investigation. We encourage our customers to investigate\r\nthese indicators in their environments and implement detections and protections to identify past related activity\r\nand prevent future attacks against their systems.\r\nIndicator Type Description\r\n5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d\r\nSHA-256\r\nPrestige\r\nransomware\r\npayload\r\n5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57\r\nSHA-256\r\nPrestige\r\nransomware\r\npayload\r\n6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c\r\nSHA-256\r\nPrestige\r\nransomware\r\npayload\r\na32bbc5df4195de63ea06feb46cd6b55\r\nImport\r\nhash\r\nUnique PE\r\nImport\r\nHash shared\r\nby\r\nransomware\r\npayloads\r\nC:\\Users\\Public\\README\r\nFile\r\npath\r\nFile path of\r\nthe ransom\r\nnote\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects known Prestige ransomware payloads with the following detection:\r\nRansom:Win32/Prestige\r\nMicrosoft Defender for Endpoint \r\nMicrosoft Defender for Endpoint provides alerts for the indicators used by IRIDIUM discussed above.\r\nRansomware-linked emerging threat activity group IRIDIUM detected\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 7 of 9\n\nMicrosoft Defender for Endpoint also provides alerts for the pre-ransom techniques discussed above.\r\nCustomers should act on these alerts as they indicate hands-on-keyboard attacks. NOTE: These alerts are not\r\nuniquely tied to the Prestige ransomware nor to the campaign discussed.\r\nOngoing hands-on-keyboard attack via Impacket toolkit\r\nWinPEAS tool detected\r\nSensitive credential memory read\r\nPassword hashes dumped from LSASS memory\r\nSuspicious scheduled task activity\r\nSystem recovery setting tampering\r\nFile backups were deleted\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nPrestige ransomware file hashes\r\nThis query looks for file hashes and Microsoft Defender Antivirus detections associated with Prestige ransomware\r\npayload.\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml\r\nMicrosoft 365 Defender\r\nImpacket WMIexec usage\r\nThis query surfaces Impacket WMIexec usage on a device:\r\nDeviceProcessEvents\r\n| where Timestamp \u003e= ago(7d)\r\n| where FileName =~ \"cmd.exe\"\r\n| where ProcessCommandLine has_all (@\" 1\u003e \\127.0.0.1\\\", \"/Q \", \"/c \", @\" 2\u003e\u00261\")\r\n| where InitiatingProcessFileName =~ \"WmiPrvSE.exe\"\r\nThis query has the same purpose as above, but it also groups all the commands launched using Impacket\r\nWMIexec on the device:\r\nDeviceProcessEvents\r\n| where Timestamp \u003e= ago(7d)\r\n| where FileName =~ \"cmd.exe\"\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 8 of 9\n\n| where ProcessCommandLine has_all (@\" 1\u003e \\127.0.0.1\\\", \"/Q \", \"/c \", @\" 2\u003e\u00261\")\r\n| where InitiatingProcessFileName =~ \"WmiPrvSE.exe\"\r\n| project DeviceName, DeviceId, Timestamp, ProcessCommandLine\r\n| summarize make_set(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId, DeviceName\r\nLSASS process memory dumping\r\nThis query surfaces attempts to dump the LSASS process memory comsvcs.dll:\r\nlet startTime = ago(7d);\r\nlet endTime = now();\r\nDeviceProcessEvents\r\n| where Timestamp between (startTime..endTime)\r\n| where FileName =~ 'rundll32.exe'\r\nand ProcessCommandLine has 'comsvcs.dll'\r\nand ProcessCommandLine has_any ('full','MiniDump')\r\n| where not (ProcessCommandLine matches regex @'{[\\w\\d]{8}-[\\w\\d]{4}-[\\w\\d]{4}-[\\w\\d]{4}-[\\w\\d]\r\n{12}}'\r\nand ProcessCommandLine matches regex @'(\\d{2}_){3}' )\r\nSource: https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nhttps://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" ], "report_names": [ "new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439088, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/025a79c933be737c476e0cd8ea5a41df9ddb4e56.pdf", "text": "https://archive.orkl.eu/025a79c933be737c476e0cd8ea5a41df9ddb4e56.txt", "img": "https://archive.orkl.eu/025a79c933be737c476e0cd8ea5a41df9ddb4e56.jpg" } }