Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
Prestige has the ability to register new registry keys for a new extension handler via |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Prestige can use PowerShell for payload execution on targeted systems.[1] |
| Enterprise | T1484 | .001 | 域或租户策略修改: Group Policy Modification |
Prestige has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with |
|
| Enterprise | T1083 | 文件和目录发现 |
Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.[1] |
|
| Enterprise | T1489 | 服务停止 |
Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using |
|
| Enterprise | T1106 | 本机API |
Prestige has used the |
|
| Enterprise | T1490 | 系统恢复抑制 |
Prestige can delete the backup catalog from the target system using: |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |