Summary of Prestige Ransomware

  • Prestige ransomware emerged in October 2022.
  • Initial footholds are often obtained via COTS or LOLBINS (Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS) .
  • Early Prestige campaigns were targeted primarily at entities in Poland and Ukraine.

Prestige Ransomware

What Does Prestige Ransomware Target?

  • Targeted attacks in Poland and Ukraine

How Does Prestige Ransomware Spread?

  • Phishing and spear phishing emails
  • Third-party framework (e.g., Empire, Metasploit, Cobalt Strike)

Prestige Ransomware Technical Details

Prestige ransomware was first observed in October 2022. The malware has been tied to multiple targeted attacks affecting entities in Poland and Ukraine. Prestige-centric campaigns have not yet been linked to any other prior, specific, attacks against Ukraine. Initial footholds are often obtained via COTS or LOLBINS (Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS).

Once launched, the malware locates files matching prescribed criteria for encryption. Affected files are noted with a “.enc” extension. The malware also registers a custom file handler (via registry). In addition, the malware attempts to delete Volume Shadow Copies as well as the local Backup Catalog (wbadmin.exe). When spreading to adjacent hosts, the ADMIN$ is preferred. Copies of the payload are written to the remote host, followed by launching via schedule task. Scheduled task creation is handled via Impacket.

How to Detect Prestige Ransomware

  • The SentinelOne Endpoint Protection Platform is capable of detecting and preventing malicious behaviors and artifacts associated with Prestige ransomware.

How to Mitigate Prestige Ransomware

  • The SentinelOne Endpoint Protection Platform will restore systems to their pre-infection state (via Repair or Rollback).

How to Remove Prestige Ransomware

  • SentinelOne customers are protected from Prestige ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows, the rollback will revert any malicious impact on the device and restore encrypted files to their original state.