Cyber Incident Victim: Government of Ukraine
Date:
Oct 2022
Location:
Ukraine
Summary
A ransomware campaign deploying the newly identified Prestige malware targeted organizations primarily in Ukraine's transportation and logistics sectors, with additional impact in Poland. The attacks involved rapid disk encryption of VMware ESXi servers within victim environments, causing operational disruptions. Microsoft attributed the activity to the IRIDIUM threat actor group, noting its focus on critical supply chain infrastructure. The incident demonstrated tailored tactics to maximize disruption in the logistics industry through simultaneous multi-system compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 11, 2022, a newly identified ransomware variant dubbed "Prestige" targeted organizations in Ukraine and Poland, primarily within the transportation and logistics sectors. The attacks displayed characteristics of a coordinated campaign, with multiple victims impacted within a short timeframe. Threat actors deployed the ransomware to compromise systems, encrypt files, and disrupt operations. Initial forensic analysis indicated the attackers gained access through compromised credentials, leveraging legitimate accounts to move laterally across networks. Prestige employed a multi-stage execution process, terminating database-related processes and services to maximize disruption before encrypting files with a ".encrypted" extension appended to filenames. The ransomware selectively targeted specific file types and directories while avoiding system-critical files to maintain persistence. Impacted organizations experienced operational interruptions, including delayed shipments and service outages, particularly affecting supply chain operations in the affected regions.
Microsoft's security teams detected the activity through telemetry and initiated an investigation, attributing the attacks to a single actor based on infrastructure overlaps and tradecraft consistency. The ransomware exhibited unique behaviors not observed in known ransomware families, including the use of a custom file encryption algorithm and a distinct ransom note format. Recovery efforts required affected organizations to rebuild systems from backups due to the lack of available decryption tools at the time of discovery. Microsoft Defender for Endpoint and other security products were updated to detect Prestige-related indicators of compromise, with threat intelligence disseminated to customers via security advisories. The attackers employed living-off-the-land techniques, using native system tools like PowerShell and Windows Management Instrumentation for execution and evasion. Post-incident analysis suggested the campaign’s timing and targeting aligned with geopolitical tensions, though no definitive attribution to a specific threat group was confirmed in the initial response phase.