Microsoft has identified a new hacking group that is targeting organisations in the transportation and related logistics industries in Ukraine and Poland.

The Microsoft Threat Intelligence Center (MSTIC) identified evidence of a novel hacking campaign utilising a previously unidentified ransomware payload.

Advertisement

“We observed this new ransomware, which labels itself in its ransom note as ‘Prestige ransomware’, being deployed on October 11 in attacks occurring within an hour of each other across all victims,” the company said in a blog post.

According to the company, this ransomware attack was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks.

“The Prestige ransomware had not been observed by Microsoft prior to this deployment. The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper),” Microsoft explained.

The tech giant said it has not yet linked this ransomware campaign, called DEV-0960, to a known threat group that was continuing investigations.

The ransomware payload was deployed by the actor after an initial compromise that involved gaining access to highly privileged credentials.

“In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment,” said the team.

The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme.

“Ransomware and wiper attacks rely on many of the same security weaknesses to succeed,” said Microsoft.