Prestige Ransomware: In-Depth Analysis, Detection, Mitigation

Summary of Prestige Ransomware

  • Prestige ransomware emerged in October 2022.
  • Initial footholds are often obtained via COTS or LOLBINS (Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS) .
  • Early Prestige campaigns were targeted primarily at entities in Poland and Ukraine.

Prestige Ransomware - Featured Image | SentinelOne

What Does Prestige Ransomware Target?

  • Targeted attacks in Poland and Ukraine

How Does Prestige Ransomware Spread?

  • Phishing and spear phishing emails
  • Third-party framework (e.g., Empire, Metasploit, Cobalt Strike)

Prestige Ransomware Technical Details

Prestige ransomware was first observed in October 2022. The malware has been tied to multiple targeted attacks affecting entities in Poland and Ukraine. Prestige-centric campaigns have not yet been linked to any other prior, specific, attacks against Ukraine. Initial footholds are often obtained via COTS or LOLBINS (Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS).

Once launched, the malware locates files matching prescribed criteria for encryption. Affected files are noted with a “.enc” extension. The malware also registers a custom file handler (via registry). In addition, the malware attempts to delete Volume Shadow Copies as well as the local Backup Catalog (wbadmin.exe). When spreading to adjacent hosts, the ADMIN$ is preferred. Copies of the payload are written to the remote host, followed by launching via schedule task. Scheduled task creation is handled via Impacket.

How to Detect Prestige Ransomware

The SentinelOne Endpoint Protection Platform is capable of detecting and preventing malicious behaviors and artifacts associated with Prestige ransomware.

How to Mitigate Prestige Ransomware

The SentinelOne Endpoint Protection Platform will restore systems to their pre-infection state (via Repair or Rollback).

How to Remove Prestige Ransomware

SentinelOne customers are protected from Prestige ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows, the rollback will revert any malicious impact on the device and restore encrypted files to their original state.

Prestige Ransomware FAQs

What is Prestige Ransomware?

Prestige ransomware is a hostile variant discovered in October 2022 explicitly aimed at transportation and logistics organizations in Poland and Ukraine. Prestige encrypts files after infecting the target system and adds the \”.enc\” suffix to their names. Prestige adds the ransom note entitled “README” to the Public user’s directory, providing the attack’s details, including ransom negotiations contact information.

In which countries have Prestige Ransomware been predominantly observed?

Prestige ransomware has been predominantly observed in Ukraine and Poland. It focuses on the transportation and logistics industries. ​

How does Prestige Ransomware encrypt files?

After Prestige ransomware infects a system, it systematically encrypts files on the infected system. It uses a hybrid encryption algorithm: AES-256 to encrypt files and RSA-2048 to encrypt the encryption keys.

What file extensions does Prestige Ransomware append to encrypted files?

After encrypting files, Prestige ransomware appends the “.enc” extension to the original filenames. For example, a file named “document.docx” would be renamed to “document.docx.enc” following encryption.

Does Prestige Ransomware delete system backups or shadow copies?

Yes. Prestige ransomware tries to interfere with data recovery by removing volume shadow copies from the victims’ systems. By deleting backups, the ransomware makes recovering the victims’ files difficult without paying the ransom.

What methods are used to deploy Prestige Ransomware within networks?

Prestige ransomware spreads over networks via highly privileged domain credentials. Attackers exploit such credentials to spread the ransomware payload over several systems within an hour, showing a coordinated and effective attack.

How can organizations detect an ongoing Prestige Ransomware attack?

Organizations may determine if there is an active Prestige ransomware attack by looking for uncharacteristic network behavior, such as rapid file encryption or the sudden deletion of shadow copies. They can use advanced threat detection software like SentinelOne and conduct routine security scans for early detection and response.

What steps should be taken immediately after a Prestige Ransomware infection?

When a Prestige ransomware infection is detected, organizations must isolate affected systems to prevent spreading, establish the extent of the compromise, and consult with cybersecurity professionals on recovery and remediation. The ransom payment is also not advisable, as this does not guarantee data recovery and may promote further attacks.

How can organizations restore data encrypted by Prestige Ransomware?

Due to the robustness of Prestige ransomware’s encryption algorithms, restoring encrypted files may be challenging. Restoration must be from safe, off-site backups. Regular backup and disaster recovery plan testing ensures that data can be restored without issues during an attack.