Threat Research

Prestige Ransomware Analysis – CYFIRMA

Securonix

CYFIRMA observes an uptick in threat-actor–led ransomware campaigns and highlights Prestige Ransomware as a distinct campaign impacting transportation and logistics sectors in Ukraine and Poland. The sample analyzed is a 32-bit C/C++ console binary that can encrypt files offline with a hardcoded RSA key, drops a ransom note, uses a custom .enc extension handler, and shows limited network propagation. #PrestigeRansomware #HermeticWiper #AprilAxe #CaddyWiper #Foxblade #ArguePatch #Russia #Ukraine #Poland

Keypoints

  • Prestige Ransomware encrypts victim files and appends a .enc extension, dropping a ransom note at C:UsersPublicREADME.
  • Sample is written in C/C++, a 32‑bit console binary, with static/dynamic analysis and memory forensics performed by CYFIRMA.
  • Encryption uses a hardcoded RSA public key and multiple algorithms (AES, DES) via the Crypto++ library, and it can operate without an internet connection.
  • It shows registry activity and creates registry keys, and registers a custom .enc file extension handler to display the ransom note.
  • Network propagation appears limited; Prestige did not infect other machines on the same network despite access to shared folders.
  • Defensive/cleanup actions include deleting volume shadow copies and backups, stopping MSSQL services, and removing traces via system tools.
  • OSINT links the campaign to broader Russia‑linked threat activity and notes overlaps with HermeticWiper in Ukraine; the incident landscape around Prestige is rapidly evolving.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Prestige Ransomware uses reg.exe commands to register a custom file extension handler for files with .enc file extension. “Prestige Ransomware uses reg.exe commands to register a custom file extension handler for files with .enc file extension.”
  • [T1106] Native API – The ransomware performs encryption-related actions using Windows APIs (e.g., SetFilePointerEx, WriteFile) as part of its file handling. “Move the file pointer of the specified file using SetFilePointerEx API.”
  • [T1053] Scheduled Task/Job – Threat actors possibly schedule payload execution to run on target systems. “Threat actors possibly used remote code execution tools and schedule the activities to run the payload on target systems.”
  • [T1112] Modify Registry – The sample creates registry keys as part of persistence/behavior. “Create Key HKEY_LOCAL_MACHINESOFTWAREClassesenc”
  • [T1497] Virtualization/Sandbox Evasion – Documented artifacts left on the system (opened/hidden processes, newly created files, and registry keys) imply evasion-oriented behavior. “Documented the techniques used by Prestige Ransomware and artifacts left on the system including – opened/hidden processes, newly created files, and registry keys.”
  • [T1070.004] Indicator Removal on Host: File Deletion – The ransomware deletes backups and shadow copies (e.g., wbadmin delete catalog; vssadmin delete shadows). “delete catalog -quiet” and “delete shadows /all /quiet”
  • [T1012] Query Registry – Registry modifications accompany the attack. “Registry keys created” (registry activity context)
  • [T1057] Process Discovery – Enumerates and observes running processes during infection. “Enumerates through the directories, files, and processes” and “Process Created C:WindowsSysWOW64 reg.exe”
  • [T1082] System Information Discovery – Gathered system information as part of reconnaissance. “Gathering System Information.”
  • [T1518.001] Software Discovery: Security Software Discovery – Indicates detection/avoidance of security software contexts. “Software Discovery: Security Software Discovery”
  • [T1083] File and Directory Discovery – Traversal of directories/files to identify targets for encryption. “Enumerates through the directories and files through file APIs.”
  • [T1486] Data Encrypted for Impact – Files are encrypted and renamed with .enc. “Encrypts files by renaming them to “.enc” file extension.”
  • [T1490] Inhibit System Recovery – Deletes volume shadow copies to hinder recovery. “delete shadows /all /quiet”
  • [T1489] Service Stop – Attempts to stop services (e.g., MSSQL) before encryption. “Prestige Ransomware attempts to stop the MSSQL Windows service before encrypting the files using the net.exe command.”

Indicators of Compromise

  • [SHA-256] sample.exe – 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57
  • [File Name] README – ransom note file created at C:UsersPublicREADME
  • [File Name] BOOTSECT.BAK.enc – renamed target file after encryption
  • [File Extension] .enc – appended to encrypted files
  • [Process] reg.exe – process created during registry/file extension handling
  • [Process] net.exe – process used to attempt service control (e.g., MSSQL)
  • [Registry Key] HKLMSOFTWAREClassesenc – created
  • [Registry Key] HKLMSOFTWAREClassesencshellopencommand – created
  • [Software] Crypto++ library – used during encryption
  • [Algorithm] AES – one of the encryption algorithms listed
  • [Algorithm] DES – another encryption algorithm listed
  • [Public Key] Hardcoded RSA public key – used for offline encryption
  • [File Path] C:UsersPublicREADME – ransom note location

Read more: https://www.cyfirma.com/outofband/prestige-ransomware-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint