In October 2022, Microsoft reported the identification of a new ransomware self-named Prestige that was observed targeting organizations in the transportation and related logistics sectors located in Ukraine and Poland.
A month later, in November 2022, the Microsoft Threat Intelligence Center (MSTIC) determined that the adversary known as Sandworm was most likely behind these attacks. This attribution is based on forensic artifacts as well as overlaps in victimology, techniques, capabilities, and infrastructure with known Sandworm activity.
Sandworm is a highly sophisticated Russian adversary attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455. Active since at least 2009, Sandworm has been characterized by the use of sophisticated malware to target ICS and SCADA systems, particularly in entities located in the Energy, Government, and Media sectors to conduct espionage activities.
The initial foothold in Prestige-related activities is usually obtained through Commercial off-the-Shelf (COTS) tools or “Living off the Land binaries (LOLBins) such as Impacket WMIexec, Remote Exec, NTDSUtil and Windows Privilege Escalation Awesome Scripts (WinPEAS).
When propagating to adjacent hosts the ADMIN$ shared folder is preferred where copies of the payload are written to the remote host and executed via scheduled tasks. Once executed, Prestige locates files that match the prescribed criteria for encryption and registers a custom file manager via registry modifications.
AttackIQ has released a new attack graph that emulates the behaviors exhibited by Prestige ransomware since the beginning of its activities in October 2022 to help customers validate their security controls and their ability to defend against this threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
This attack graph emulates the sequence of behaviors associated with the deployment of Prestige ransomware on a compromised system to provide customers with opportunities to prevent and/or detect a compromise in progress.
The assessment template is based on behaviors reported by Microsoft on October 14, 2022, and txOne on October 31, 2023.
This stage begins with deploying Impacket’s WMIExec which will be used to perform lateral movement through Windows Management Instrumentation (WMI). This is followed by the downloading and saving of Windows Privilege Escalation Awesome Scripts (WinPEAS) an open-source collection of scripts used to perform privilege escalation.
Finally, the Local Security Authority Subsystem Service (LSASS) is dumped using comsvcs.dll.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Windows Management Instrumentation (T1047): This scenario emulates the use of the Impacket
utility to execute the WMIEXEC class
, facilitating lateral movement to any available asset inside the network via the WMI protocol.
OS Credential Dumping: LSASS Memory (T1003.001): This scenario uses rundll32.exe
with comsvcs.dll
to call the MiniDump
export that will dump the LSASS
process memory to disk. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.
This stage focuses on the deployment of Prestige ransomware, which is commonly executed through a scheduled task. Once running, Prestige will create a custom file extension handler for the encrypted files through a registry modification.
Next, it will traverse the files on the file system and encrypt the contents of the selected files using a combination of RSA-2048 and AES. Once encryption is successful, volume shadow copies will be deleted using vssadmin.exe
.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario executes a file through the creation of a new scheduled task using the schtasks
utility.
Modify Registry (T1112): This scenario registers a custom file extension handler for files with .enc file extension by creating the HKEY_CLASSES_ROOT\.enc
and HKEY_CLASSES_ROOT\enc\shell\open\command
registry keys.
File and Directory Discovery (T1083): This scenario will call the FindFirstFileW
and FindNextFileW
Windows API to perform the enumeration of the file system.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Prestige ransomware.
Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe
utility to delete a recent Volume Shadow Copy created by the assessment template.
In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Prestige ransomware.
Dump Active Directory Database using ntdsutil.exe: This scenario will attempt to execute the ntdsutil.exe
utility to dump the NTDS.dit
file along with the SYSTEM and SECURITY registry hives.
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.
Search for executions of comsvcs that attempt to access the LSASS process.
Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)
MITRE ATT&CK recommends the following mitigation recommendations:
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.
With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.
Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)
MITRE ATT&CK has the following mitigation recommendations for Scheduled Task
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by Prestige ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.