S1058 Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.1
| Item | Value |
|---|---|
| ID | S1058 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 January 2023 |
| Last Modified | 24 February 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Prestige can use PowerShell for payload execution on targeted systems.1 |
| enterprise | T1486 | Data Encrypted for Impact | Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.1 |
| enterprise | T1484 | Domain Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | Prestige has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.1 |
| enterprise | T1083 | File and Directory Discovery | Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.1 |
| enterprise | T1490 | Inhibit System Recovery | Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.1 |
| enterprise | T1112 | Modify Registry | Prestige has the ability to register new registry keys for a new extension handler via HKCR\.enc and HKCR\enc\shell\open\command.1 |
| enterprise | T1106 | Native API | Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.1 |
| enterprise | T1489 | Service Stop | Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using C:\Windows\System32\net.exe stop MSSQLSERVER.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 1 |