Skip to content

S1058 Prestige

Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.1

Item Value
ID S1058
Associated Names
Version 1.0
Created 20 January 2023
Last Modified 24 February 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Prestige can use PowerShell for payload execution on targeted systems.1
enterprise T1486 Data Encrypted for Impact Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.1
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification Prestige has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.1
enterprise T1083 File and Directory Discovery Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.1
enterprise T1490 Inhibit System Recovery Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.1
enterprise T1112 Modify Registry Prestige has the ability to register new registry keys for a new extension handler via HKCR\.enc and HKCR\enc\shell\open\command.1
enterprise T1106 Native API Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.1
enterprise T1489 Service Stop Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using C:\Windows\System32\net.exe stop MSSQLSERVER.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 1