Overview
In October 2022, the ransomware known as ‘Prestige’ targeted the transportation and associated logistics sectors in Ukraine and Poland. By November 2022, the Microsoft Threat Intelligence Center (MSTIC) were able to ascertain that these attacks were orchestrated by the Russia-based threat actor, IRIDIUM.
According to the Transport Threat Landscape report by ENISA (European Union Agency for Cybersecurity), there has been a notable surge in cybersecurity attacks on the transportation industry over the past two years. To mount an effective defense against these threats, it’s imperative that we thoroughly understand the tactics and techniques employed by these malevolent ransomware strains. For that purpose, we have selected the Prestige ransomware as a representative sample and delved into its operational patterns.
Code Flow
The Prestige ransomware is relatively simple. In its code flow, there are few functionalities. The primary purpose of this ransomware is to focus solely on file encryption. Additionally, it is programmed in C++. It utilizes Crypto++ as the encryption library.
Figure 1: The Code Flow of Prestige Ransomware
MITRE ATT&CK Tactics and Techniques
MITRE Tactics | MITRE Techniques | Description |
Execution | T1059 Command and Scripting Interpreter | Prestige is triggered via the command line. |
Defense Evasion | T1112 Modify Registry | Prestige modifies the registry associated with the "shell open" option. This causes the ransom note to be displayed when a victim attempts to open any file bearing the ".enc" extension. |
Discovery | T1083 File and Directory Discovery | Prestige enumerates and targets files for encryption across all directories, with the notable exceptions of "C:Windows" and "C:ProgramDataMicrosoft”. |
Impact | T1491.001 Internal Defacement | Prestige places the ransom note named "README" in the "C:UsersPublic" directory. |
T1489 Service Stop | Prestige disrupts the MSSQLSERVER service by executing the command "C:WindowsSystem32net.exe stop MSSQLSERVER". | |
T1486 Data Encrypted for Impact | Prestige encrypts files with specific extensions listed in the memory. | |
T1490 Inhibit System Recovery | Upon completion of the encryption process, Prestige eradicates shadow copies and relevant catalogs to thwart easy recovery. |
T1491.001 Internal Defacement
Prestige drops the ransom note README in the C:\Users\Public folder.
Figure 2: The Ransom Note in Memory
Figure 3: The Ransom Note is Dropped in the Filesystem
T1112 Modify Registry
Prestige modifies the registry for the ‘shell open’ option to display the ransom note when the victim opens a file with the “.enc” extension.
Figure 4: The Code Snippet is Used to Modify the Shell Option by “reg.exe”
Figure 5: During Execution, the Sample Triggers “CreateProcess” to Modify Registry (Part 1)
Figure 6: During Execution, the Sample Triggers “CreateProcess” to Modify the Registry (Part 2)
T1489 Service Stop
Prestige stops the service MSSQLSERVER by executing the command “C:\Windows\System32\net.exe stop “MSSQLSERVER”.
Figure 7: The Code Snippet is Used to Stop the “MSSQLSERVER”
Figure 8: During Execution, the Sample Triggers “CreateProcess” to Stop “MSSQLSERVER”
T1486 Data Encrypted for Impact
First, Prestige ransomware initializes the cryptographic functionality, such as by loading the RSA public key.
Figure 9: The RSA X509 Public Key in the PEM Public Key Format
Figure 10: Cryptographic Functions
Prestige enumerates files for encryption in every folder except C:\Windows and C:\ProgramData\Microsoft.
Figure 11: The Files in These Folders Remain Unencrypted
Prestige then opens the files with specific extensions listed in the memory.
Figure 12: A List of the File Extensions for File Encryption Taken From Address: .rdata+0x332dc
Lastly, Prestige encrypts files, appends additional information to the end of them and renames encrypted files by appending the extension name .enc to the original file name.
Figure 13: The Code Snippet is Used to Rename the Encrypted Files
Figure 14: The Encrypted File is Appended with 275 Bytes of Data Ending with “.enc”
Figure 15: The File Operations for File Encryption
T1490 Inhibit System Recovery
Prestige deletes catalogs and shadow copies after file encryption is done.
Figure 16: The Code Snippet is Used to Delete Catalogs
Figure 17: The Code Snippet is Used to Delete Shadow Copies
Figure 18: Prestige Ransomware Creates Multiple Processes for Different Functionalities
Security Recommendation
1. StellarProtect 3.0 can detect Prestige ransomware with Multi-Method Threat Prevention
In StellarOne, users can identify the sample of Prestige ransomware that is scanned as Ransom.Win32.PRESTIGE.THJAIBB in the event details once the malware is dropped into the endpoint’s filesystem.
Figure 19: The Event for Multi-Method Threat Prevention
2. StellarProtect 3.0 can detect the execution of Prestige ransomware with Operations Behavior Anomaly Detection (OBAD).
In StellarOne, the recognition of Prestige ransomware is marked by Event ID 4873, denoting that “Malicious application behavior has been detected by Operations Behavior Anomaly Detection”.
For more details, users can check the Rules Violated field.
Figure 20: The Event Shows “ADC0001: Suspicious file encryption” is Detected by OBAD
Figure 21: The Event Shows “Disable backup catalogs” is Detected by OBAD
Figure 22: The Event Shows “Delete shadow copy” is Detected by OBAD
3. For the sample of Prestige ransomware, there was no network behavior detected. However, users should be aware of the other tools that could be used to spread this ransomware.
Indicators of Compromise (IoCs) | |
Description | SHA256 |
Prestige Ransomware Payload | 5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d |
Prestige Ransomware Payload | 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57 |
Prestige Ransomware Payload | 6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c |
OT operations drive business value. Cyber-Physical System downtime cost is always significant.
Instead of waiting for a threat to be identified and analyzed before responding, Stellar uses Cyber-Physical System Detection and Response (CPSDR) to prevent all unexpected system changes before they impact the operation.
