Prestige Ransomware

Malware updated 4 months ago (2024-05-04T17:47:20.802Z)

Download STIX

Preview STIX

The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The Prestige ransomware was first detected in the fall of 2022, when it was deployed against logistics companies in Ukraine and Poland. Unlike traditional ransomware attacks, the attackers did not aim to provide a key to decrypt the encrypted data, suggesting a more destructive intent. Microsoft Defender Antivirus has identified known Prestige ransomware payloads using specific file hashes associated with this malware. Security firm WithSecure noticed overlaps between Kapeka and GreyEnergy attacks and the Prestige ransomware attacks, attributing them to the Russia-linked Sandworm APT group. This connection was further supported when Kapeka's deployment coincided with reported instances of Prestige ransomware attacks in Poland and Ukraine, incidents that Microsoft also attributed to Sandworm. While pointing the finger at Russian cyberoffensive groups as the culprits behind the Prestige ransomware might seem the obvious choice, attribution based on evidence is a different beast. Nevertheless, security experts have noted that Sandworm changed tactics in the fall of 2022 and began using Prestige ransomware to infect Polish and Ukrainian logistics firms, in an attempt to disguise itself as a non-government hacking team. These destructive attacks are likely to continue and could extend to organizations from countries that provide military and logistics support to Ukraine.

Description last updated: 2024-05-04T16:45:11.323Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Prestige	5	Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belie

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ukraine

Ransomware

Russia

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Nikowiper	Unspecified	2	NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on
CaddyWiper	Unspecified	2	CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
Kapeka	Unspecified	2	Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, i

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Sandworm	Unspecified	2	Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio

Source Document References

Information about the Prestige Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	5 months ago	Russian Sandworm Group Using Novel Backdoor to Target Ukraine and Allies
Securityaffairs	5 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
BankInfoSecurity	5 months ago	Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
CERT-EU	a year ago	ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine
CERT-EU	a year ago	Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
InfoSecurity-magazine	a year ago	Russian Military Preparing New Destructive Attacks: Microsoft
ESET	2 years ago	A year of wiper attacks in Ukraine \| WeLiveSecurity
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
ESET	a year ago	ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine \| WeLiveSecurity
BankInfoSecurity	a year ago	Ukraine Tracks Increased Russian Focus on Cyberespionage
CERT-EU	a year ago	Ukraine, Israel, South Korea top list of most-targeted countries for cyberattacks
MITRE	9 months ago	New “Prestige” ransomware impacts organizations in Ukraine and Poland \| Microsoft Security Blog
Securelist	2 years ago	Reassessing cyberwarfare. Lessons learned in 2022