Microsoft Discovers Ransomware Targeting Organisations In Ukraine And Poland

Microsoft has identified a ransomware campaign that is targeting organisations in Ukraine and Poland. The novel ransomware campaign utilises a previously unidentified ransomware payload.

The newly identified ransomware is particularly targeting organisations in the transportation and related logistics industries in Ukraine and Poland. The campaign labels itself in its ransom note as “Prestige ranusomeware”, being deployed on October 11 in attacks occurring within an hour of each other across all victims.

This campaign has several features that differentiate it from other Microsoft-tracked ransomware campaign including:

• The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks
• The Prestige ransomware had not been observed by Microsoft prior to this deployment
• The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)

Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organisations in Ukraine over the last two weeks. 

The Microsoft Threat Intelligence Center (MSTIC) has not yet linked this ransomware campaign to a known threat group and is continuing investigations.