Prestige ransomware was first observed in October 2022. The malware has been tied to multiple targeted attacks affecting entities in Poland and Ukraine. Prestige-centric campaigns have not yet been linked to any other prior, specific, attacks against Ukraine. Initial footholds are often obtained via COTS or LOLBINS (Impacket WMIexec, Remote Exec, ntdsutil.exe, winPEAS) Once launched, the malware will locate files matching the prescribed criteria for encryption. Affected files are noted with a “.enc” extension. The malware also registered a custom file handler (via registry). In addition, the malware will attempt to delete Volume Shadow Copies and the local Backup Catalog (wbadmin.exe).
