{"id":123640,"date":"2022-10-14T12:00:00","date_gmt":"2022-10-14T19:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=123640"},"modified":"2023-10-13T07:12:57","modified_gmt":"2023-10-13T14:12:57","slug":"new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/","title":{"rendered":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. <strong>IRIDIUM<\/strong> is now tracked as <strong>Seashell Blizzard<\/strong>. <\/p>\n\n\n\n<p>To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"><strong>Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n\n\n\n<p><strong>November 10, 2022 update:<\/strong> MSTIC has updated this blog to document assessed attribution of DEV-0960 as IRIDIUM, the actor that executed the Prestige ransomware-style attacks.<\/p>\n<\/blockquote>\n\n\n\n<p>The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland utilizing a previously unidentified ransomware payload. We observed this new ransomware, which labels itself in its ransom note as \u201cPrestige ranusomeware\u201d, being deployed on October 11 in attacks occurring within an hour of each other across all victims.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attribution to IRIDIUM<\/h2>\n\n\n\n<p>As of November 2022, MSTIC assesses that IRIDIUM very likely executed the Prestige ransomware-style attack. IRIDIUM is a Russia-based threat actor tracked by Microsoft, publicly overlapping with Sandworm, that has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war. This attribution assessment is based on forensic artifacts, as well as overlaps in victimology, tradecraft, capabilities, and infrastructure, with known IRIDIUM activity. Review of technical artifacts available to Microsoft links IRIDIUM to interactive compromise activity at multiple Prestige victims as far back as March 2022 and continuing within the week leading up to the October 2022 attack discussed in the blog below.<\/p>\n\n\n\n<p>The Prestige campaign may highlight a measured shift in IRIDIUM\u2019s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine. More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war.<\/p>\n\n\n\n<p>Microsoft would like to acknowledge CERT UA for their cooperation and information sharing to assist in our investigations. CERT UA continues to demonstrate incredible resolve and commitment to security despite physical danger.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Observed actor activity<\/h2>\n\n\n\n<p>This ransomware campaign had several notable features that differentiate it from other Microsoft-tracked ransomware campaigns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The enterprise-wide deployment of ransomware is not common in Ukraine, and this activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks<\/li>\n\n\n\n<li>The Prestige ransomware had not been observed by Microsoft prior to this deployment<\/li>\n\n\n\n<li>The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)<\/li>\n<\/ul>\n\n\n\n<p>Despite using similar deployment techniques, the campaign is distinct from recent destructive attacks leveraging AprilAxe (ArguePatch)\/CaddyWiper or Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks. MSTIC has not yet linked this ransomware campaign to a known threat group and is continuing investigations. MSTIC is tracking this activity as IRIDIUM.<\/p>\n\n\n\n<p>This blog aims to provide awareness and indicators of compromise (IOCs) to Microsoft customers and the larger security community. Microsoft continues to monitor this and is in the process of early notification to customers impacted by IRIDIUM but not yet ransomed. MSTIC is also actively working with the broader security community and other strategic partners to share information that can help address this evolving threat through multiple channels.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pre-ransomware activities<\/h3>\n\n\n\n<p>Prior to deploying ransomware, the IRIDIUM activity included the use of the following two remote execution utilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RemoteExec \u2013 a commercially available tool for agentless remote code execution<\/li>\n\n\n\n<li>Impacket WMIexec \u2013 an open-source script-based solution for remote code execution<\/li>\n<\/ul>\n\n\n\n<p>To gain access to highly privileged credentials, in some of the environments, IRIDIUM used these tools for privilege escalation and credential extraction:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>winPEAS \u2013 an open-source collection of scripts to perform privilege escalation on Windows<\/li>\n\n\n\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/001\/\">comsvcs.dll<\/a> \u2013 used to dump the memory of the LSASS process and steal credentials<\/li>\n\n\n\n<li>ntdsutil.exe \u2013 used to back up the Active Directory database, likely for later use credentials<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Ransomware deployment<\/h3>\n\n\n\n<p>In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment. Initial access vector has not been identified at this time, but in some instances it\u2019s possible that the attacker might have already had existing access to the highly privileged credentials from a prior compromise. In these instances, the attack timeline starts with the attacker already having Domain Admin-level access and staging their ransomware payload.<\/p>\n\n\n\n<p>Most ransomware operators develop a preferred set of tradecraft for their payload deployment and execution, and this tradecraft tends to be consistent across victims, unless a security configuration prevents their preferred method. For this IRIDIUM activity, the methods used to deploy the ransomware varied across the victim environments, but it does not appear to be due to security configurations preventing the attacker from using the same techniques. This is especially notable as the ransomware deployments all occurred within one hour. The distinct methods for ransomware deployment were:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method 1: <\/strong>The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"500\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method1c.png\" alt=\"\" class=\"wp-image-123775\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method1c.png 1000w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method1c-300x150.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method1c-768x384.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method 2:<\/strong> The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"500\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method2c.png\" alt=\"\" class=\"wp-image-123784\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method2c.png 1000w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method2c-300x150.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method2c-768x384.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Method 3:<\/strong> The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"460\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c.png\" alt=\"\" class=\"wp-image-123787\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c.png 1000w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c-300x138.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c-768x353.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c-539x249.png 539w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/Method3c-465x215.png 465w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Malware analysis<\/h3>\n\n\n\n<p>The \u201cPrestige\u201d ransomware requires administrative privileges to run. Like many ransomware payloads, it attempts to stop the MSSQL Windows service to ensure successful encryption using the following command (the strings <em>\u201cC:\\Windows\\System32\\net.exe stop\u201d <\/em>and <em>\u201cMSSQLSERVER\u201d <\/em>are both hardcoded in the analyzed samples):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-1b.png\" alt=\"Screenshot of command line\" class=\"wp-image-123739\" width=\"600\" height=\"38\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-1b.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-1b-300x19.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-1b-768x48.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-1b-767x50.png 767w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<p>Prestige creates <em>C:\\Users\\Public\\README <\/em>and stores the following ransom note in the file. The same file is also created in the root directory of each drive:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"257\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig1-prestige-ransom-note-1024x257.png\" alt=\"Screenshot of the ransom note, which says:\n\nYOU PERSONAL FILES HAVE BEEN ENCRYPTED.\n\nTo decrypt all the data, you will need to purchase our decryption software.\nContact us Prestige.ranusomeware@Proton.me. In the letter, type your ID = <REDACTED&gt;.\n\n* ATTENTION *\n- Do not try to decrypt your data using third party software, it may cause permanent data loss.\n- Do not modify or rename encrypted files. You will lose them.\n\" class=\"wp-image-123652\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig1-prestige-ransom-note-1024x257.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig1-prestige-ransom-note-300x75.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig1-prestige-ransom-note-768x193.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig1-prestige-ransom-note.png 1098w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Prestige ransom note<\/figcaption><\/figure>\n\n\n\n<p>Prestige then traverses the files on the file system and encrypts the contents of files that have one of the following hardcoded file extensions, avoiding encrypting files in the <em>C:\\Windows\\ <\/em>and <em>C:\\ProgramData\\Microsoft\\<\/em> directories:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"412\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-2b-extensions-1024x412.png\" alt=\"\" class=\"wp-image-123745\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-2b-extensions-1024x412.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-2b-extensions-300x121.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-2b-extensions-768x309.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-2b-extensions.png 1348w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After encrypting each file, the ransomware appends the extension <em>.enc <\/em>to the existing extension of the file. For example, <em>changes.txt <\/em>is encrypted and then renamed to <em>changes.txt.enc<\/em>. Prestige uses the following two commands to register a custom file extension handler for files with <em>.enc <\/em>file extension:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"96\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-3.png\" alt=\"Screenshot of command lines.\" class=\"wp-image-123658\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-3.png 962w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-3-300x30.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-3-768x77.png 768w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"128\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig2-custom-file-extension.png\" alt=\"Screenshot of the Registry Editor displaying the custom file extension handler.\" class=\"wp-image-123661\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig2-custom-file-extension.png 960w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig2-custom-file-extension-300x40.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/fig2-custom-file-extension-768x102.png 768w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><figcaption class=\"wp-element-caption\">Custom file extension handler for files with <em>.enc <\/em>extension<\/figcaption><\/figure>\n\n\n\n<p><span style=\"font-size: revert; color: initial;\">As a result of creating the custom file extension handler, when any file carrying the file extension <\/span><em style=\"font-size: revert; color: initial;\">.enc <\/em><span style=\"font-size: revert; color: initial;\">(i.e., encrypted by Prestige) is opened by a user, the file extension handler uses Notepad to open <\/span><em style=\"font-size: revert; color: initial;\">C:\\Users\\Public\\README<\/em><span style=\"font-size: revert; color: initial;\">, which contains the ransom note.<\/span><\/p>\n\n\n\n<p>To encrypt files, Prestige leverages the CryptoPP C++ library to AES-encrypt each eligible file. During the encryption process, the following hardcoded RSA X509 public key is used by one version of the ransomware (each version of Prestige may carry a unique public key):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-4.png\" alt=\"Screenshot of a public key.\" class=\"wp-image-123664\" width=\"721\" height=\"236\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-4.png 961w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-4-300x98.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-4-768x252.png 768w\" sizes=\"(max-width: 721px) 100vw, 721px\" \/><\/figure>\n\n\n\n<p>To hinder system and file recovery, Prestige runs the following command to delete the backup catalog from the system:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-5b.png\" alt=\"Screenshot of command for deleting the backup catalog\" class=\"wp-image-123715\" width=\"600\" height=\"38\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-5b.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-5b-300x19.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-5b-768x48.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-5b-767x50.png 767w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<p>Prestige also runs the following command to delete all volume shadow copies on the system:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-6b.png\" alt=\"Screenshot of command to delete shadow copies\" class=\"wp-image-123718\" width=\"600\" height=\"38\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-6b.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-6b-300x19.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-6b-768x48.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/inline-text-6b-767x50.png 767w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<p>Before running the commands above, the 32-bit version of Prestige calls the function <a href=\"https:\/\/learn.microsoft.com\/windows\/win32\/api\/wow64apiset\/nf-wow64apiset-wow64disablewow64fsredirection\">Wow64DisableWow64FsRedirection()<\/a> to disable file system redirection and gain access to the native System32 directory. After running the commands above, Prestige restores file system redirection by calling the function <a href=\"https:\/\/learn.microsoft.com\/windows\/win32\/api\/wow64apiset\/nf-wow64apiset-wow64revertwow64fsredirection\">Wow64RevertWow64FsRedirection()<\/a>.<\/p>\n\n\n\n<p>Microsoft will continue to monitor IRIDIUM activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Looking forward<\/h2>\n\n\n\n<p>The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme. Ransomware and wiper attacks rely on many of the same security weaknesses to succeed. As the situation evolves, organizations can adopt the hardening guidance below to help build more robust defenses against these threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommended customer actions<\/h2>\n\n\n\n<p>The ransomware payload was deployed by the actor after an initial compromise that involved gaining access to highly privileged credentials. The techniques used by the actor and described in the \u201cObserved Actor Activity\u201d section can be mitigated by adopting the security considerations provided below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands\">Block process creations originating from PSExec and WMI commands<\/a> to stop lateral movement utilizing the WMIexec component of Impacket.<\/li>\n\n\n\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection\">Tamper protection<\/a> to prevent attacks from stopping or interfering with Microsoft Defender.<\/li>\n\n\n\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus\">cloud-delivered protection<\/a> in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.<\/li>\n\n\n\n<li>While this attack differs from traditional ransomware, following our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/#defending-against-ransomware\">defending against ransomware<\/a> guidance helps protect against the credential theft, lateral movement, and ransomware deployment used by IRIDIUM.<\/li>\n\n\n\n<li>Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.<\/li>\n\n\n\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/admin\/security-and-compliance\/set-up-multi-factor-authentication\">multifactor authentication (MFA)<\/a> to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity, including VPNs. Microsoft strongly encourages all customers download and use password-less solutions like <a href=\"https:\/\/www.microsoft.com\/account\/authenticator\/\">Microsoft Authenticator<\/a> to secure your accounts.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of compromise (IOCs)<\/h2>\n\n\n\n<p>The following table lists the IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Indicator<\/strong><\/td><td><strong>Type<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>5dd1ca0d471dee41eb3ea0b6ea117810f228354fc3b7b47400a812573d40d91d<\/td><td>SHA-256<\/td><td>Prestige ransomware payload<\/td><\/tr><tr><td>5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57<\/td><td>SHA-256<\/td><td>Prestige ransomware payload<\/td><\/tr><tr><td>6cff0bbd62efe99f381e5cc0c4182b0fb7a9a34e4be9ce68ee6b0d0ea3eee39c<\/td><td>SHA-256<\/td><td>Prestige ransomware payload<\/td><\/tr><tr><td>a32bbc5df4195de63ea06feb46cd6b55<\/td><td>Import hash<\/td><td>Unique PE Import Hash shared by ransomware payloads<\/td><\/tr><tr><td>C:\\Users\\Public\\README<\/td><td>File path<\/td><td>File path of the ransom note<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>NOTE: <\/strong>These indicators should not be considered exhaustive for this observed activity.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detections<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft 365 Defender<\/h3>\n\n\n\n<p><strong>Microsoft Defender Antivirus<\/strong><\/p>\n\n\n\n<p>Microsoft Defender Antivirus detects known Prestige ransomware payloads with the following detection:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Ransom:Win32\/Prestige.B&amp;threatId=-2147133973\">Ransom:Win32\/Prestige<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Microsoft Defender for Endpoint<\/strong>&nbsp;<\/p>\n\n\n\n<p>Microsoft Defender for Endpoint provides alerts for the indicators used by IRIDIUM discussed above.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ransomware-linked emerging threat activity group IRIDIUM detected<\/li>\n<\/ul>\n\n\n\n<p>Microsoft Defender for Endpoint also provides alerts for the pre-ransom techniques discussed above. <\/p>\n\n\n\n<p>Customers should act on these alerts as they indicate hands-on-keyboard attacks. <strong>NOTE: <\/strong>These alerts are not uniquely tied to the Prestige ransomware nor to the campaign discussed.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ongoing hands-on-keyboard attack via Impacket toolkit<\/li>\n\n\n\n<li>WinPEAS tool detected<\/li>\n\n\n\n<li>Sensitive credential memory read<\/li>\n\n\n\n<li>Password hashes dumped from LSASS memory<\/li>\n\n\n\n<li>Suspicious scheduled task activity<\/li>\n\n\n\n<li>System recovery setting tampering<\/li>\n\n\n\n<li>File backups were deleted<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Advanced hunting queries<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft Sentinel<\/h3>\n\n\n\n<p><strong>Prestige ransomware file hashes<\/strong><\/p>\n\n\n\n<p>This query looks for file hashes and Microsoft Defender Antivirus detections associated with Prestige ransomware payload.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\/MultipleDataSources\/PrestigeRansomwareIOCsOct22.yaml\">https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\/MultipleDataSources\/PrestigeRansomwareIOCsOct22.yaml<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Microsoft 365 Defender<\/h3>\n\n\n\n<p><strong>Impacket WMIexec usage<\/strong><\/p>\n\n\n\n<p>This query surfaces Impacket WMIexec usage on a device:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents<br>| where Timestamp &gt;= ago(7d)<br>| where FileName =~ \"cmd.exe\"<br>| where ProcessCommandLine has_all (@\" 1&gt; \\127.0.0.1\\\", \"\/Q \", \"\/c \", @\" 2&gt;&amp;1\")<br>| where InitiatingProcessFileName =~ \"WmiPrvSE.exe\"<\/pre>\n\n\n\n<p>This query has the same purpose as above, but it also groups all the commands launched using Impacket WMIexec on the device:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents\n| where Timestamp &gt;= ago(7d)\n| where FileName =~ \"cmd.exe\"\n| where ProcessCommandLine has_all (@\" 1&gt; \\127.0.0.1\\\", \"\/Q \", \"\/c \", @\" 2&gt;&amp;1\")\n| where InitiatingProcessFileName =~ \"WmiPrvSE.exe\"\n| project DeviceName, DeviceId, Timestamp, ProcessCommandLine\n| summarize make_set(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId, DeviceName<\/pre>\n\n\n\n<p><strong>LSASS process memory dumping<\/strong><\/p>\n\n\n\n<p>This query surfaces attempts to dump the LSASS process memory comsvcs.dll:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">let startTime = ago(7d);<br>let endTime = now();<br>DeviceProcessEvents<br>| where Timestamp between (startTime..endTime)<br>| where FileName =~ 'rundll32.exe'<br>and ProcessCommandLine has 'comsvcs.dll'<br>and ProcessCommandLine has_any ('full','MiniDump')<br>| where not (ProcessCommandLine matches regex @'{[\\w\\d]{8}-[\\w\\d]{4}-[\\w\\d]{4}-[\\w\\d]{4}-[\\w\\d]{12}}'<br>and ProcessCommandLine matches regex @'(\\d{2}_){3}' )<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload. <\/p>\n","protected":false},"author":150,"featured_media":123676,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3735,3738],"tags":[3918,3896,3802],"coauthors":[3380],"class_list":["post-123640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-ransomware","threat-intelligence-threat-actors","tag-blizzard","tag-credential-theft","tag-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-14T19:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-13T14:12:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland\",\"datePublished\":\"2022-10-14T19:00:00+00:00\",\"dateModified\":\"2023-10-13T14:12:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\"},\"wordCount\":1911,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg\",\"keywords\":[\"Blizzard\",\"Credential theft\",\"Ransomware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\",\"name\":\"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg\",\"datePublished\":\"2022-10-14T19:00:00+00:00\",\"dateModified\":\"2023-10-13T14:12:57+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Data center illuminated with a bluish light. Yellow cords running on the servers are prominently displayed.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/","og_locale":"en_US","og_type":"article","og_title":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog","og_description":"The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware payload.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-10-14T19:00:00+00:00","article_modified_time":"2023-10-13T14:12:57+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg","type":"image\/jpeg"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland","datePublished":"2022-10-14T19:00:00+00:00","dateModified":"2023-10-13T14:12:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/"},"wordCount":1911,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg","keywords":["Blizzard","Credential theft","Ransomware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/","name":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg","datePublished":"2022-10-14T19:00:00+00:00","dateModified":"2023-10-13T14:12:57+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/featured_image.jpg","width":1200,"height":800,"caption":"Data center illuminated with a bluish light. Yellow cords running on the servers are prominently displayed."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/10\/14\/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/123640"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=123640"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/123640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/123676"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=123640"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=123640"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=123640"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=123640"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=123640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=123640"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=123640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}