Threat Coverage: How FortiEDR protects against Prestige ransomware

Introduction

On 14 October 2022 Microsoft Threat Intelligence Center (MSTIC) disclosed information on a new ransomware family being used as part of a campaign targeting transport and logistics industries in Ukraine and Poland[1]. The ransomware is written in C++ and names itself ‘Prestige’ within the ransom note it drops following encryption of a victim.

The purpose of this article is to outline how FortiEDR effectively detects and mitigates this threat. This article also provides threat hunting queries related to this ransomware operation that can be used to identify potential execution attempts and IOCs that can be used to quickly identify this threat in the event of detection.

Execution Prevention

At the time of analysis, the Prestige executable (123.exe) was unknown, i.e. the hash was not in the FortiGuard signature database. As a result of this FortiEDR’s pre-execution protection rules did not initially flag the file as malicious, however analysis by FortiEDR ML engine identified malicious indicators within the file that gave a temporary PUP classification (Potentially Unwanted Program). Figure 1 below shows the generated FortiEDR security event. The default FortiEDR configuration will detect and mitigate behavior associated with PUPs like this. This type of classification is effective at mitigating new unknown samples for known families which is especially effective at mitigating ransomware campaigns where new executables are created per intrusion to subvert signature based detection.

Figure 1. FortiEDR security events related to the unknown Prestige executable being flagged as an ‘Unknown Executable’. This rule flags when a file contains a few characteristics commonly used by malware and is identified by FortiEDR machine-learning engine as potentially malicious.

As part of its encryption process, Prestige will attempt to access files on remote shares, in this case the “smb:\\” share from the test environment. This behavior is detected and blocked by FortiEDR as a “Network Access” event. An example of this event can be seen below in Figure 2.

Figure 2. FortiEDR security event generated when the ‘123.exe’ executable (Prestige ransomware) attempts to access the ‘smb://’ share to encrypt remote files.

To ensure that critical files are all encrypted, Prestige ransomware attempts to stop the “MSSQLSERVER” service running on a victim endpoint. This prevents the service from locking any MSSQL databases and ensures that any databases on a victim endpoint can be properly encrypted. This is common behavior for many ransomware families. An example of a FortiEDR event generated as a result of this activity is show below in Figure 3.

Figure 3. FortiEDR security event generated as the Prestige malware sample (123.exe) attempts to launch net.exe to stop the MSSQLSERVER service to maximize the impact of encryption activity.

Following the above behavior, Prestige ransomware will begin encrypting files on the victim endpoint with AES encryption and a hardcoded key. This encryption activity exhibits itself through FortiEDR as a series of file write and file rename events. Files are first overwritten with their encrypted content then then the extensions “.enc” is appended to the full filename. FortiEDR detects and mitigates ransomware encryption activity like this through the Ransomware Protection security policy and its ‘File Encryptor’ rule. In Prevention mode this rule will prevent the file encryption process therefore protecting the integrity of the files. An example file write event and file rename event associated with this behavior are shown below in Figure 4 and Figure 5 respectively.

Figure 4. FortiEDR security event related to the Prestige ransomware sample (123.exe) encrypting files. Note the raw data item (RDI) count of 534 indicating the various files that were encrypted.

Figure 5. FortiEDR file write event security events related to Prestige sample encryption behavior.

The way that Prestige delivers its ransom note differs from majority of other current prominent ransomware families. Prestige writes a single ransom note called “README” (no extension) to the “C:\Users\Public” folder. The malware then creates a registry entry to register a new file extension handler for the “.enc” file extension and then defines a new handler to launch the default “notepad.exe” executable to show the ransom note. This means that when a user clicks a file with the “.enc” file extension – namely any files encrypted by the ransomware’s earlier operations,  it will show the ransom note. The Prestige ransomware sample analyzed as part of this article made these registry modifications by spawning two instances of the standard Windows “reg.exe” binary and using the “add” option. FortiEDR detects the process creation events related to these processes being spawned as shown through the FortiEDR Threat Hunting interface below in Figure 6.

Figure 6. FortiEDR Threat Hunting information showing how the Prestige sample (123.exe) creates a number of reg.exe processes used to create a new context menu entry to show the ransom note in notepad whenever a file with the ‘.enc’ extension is opened.

Conclusion

Prestige ransomware appears to currently only be used for targeted attacks in Ukraine and Poland and the FortiGuard MDR and IR teams have not currently observed it employed outside these regions. Regardless of this like with most ransomware families, Prestige ransomware is detected and mitigated by FortiEDR out of the box and FortiEDR customers are protected from this threat. Some FortiEDR Threat Hunting queries have been provided below to support proactive identification of potential Prestige activity and quick identification during triage.

Threat Hunting

The following query will identify File Creation events for files matching the characteristics of the Prestige ransom note. There are no current observed false positives associated with this query. Note that detection of this activity and confirmation this is not a false positive indicates that the Prestige ransomware successfully executed.

Type:"File Create" AND Target.File.Path:"Users\\Public\\README" NOT _exists_:Target.File.Ext

The following query will identify Process Creation events for net.exe processes used to stop the “MSSQLSERVER” service. This procedure for achieving Service Stop (T1468) is not unique to Prestige but is indicative of potential ransomware activity. There will be false positives related to this activity as this command is regularly used for troubleshooting or administering an MSSQL server. To tune it is recommended that the source process is filtered to exclude administration tools used in a customer’s environment.

Type:"Process Creation" AND Target.Process.Name:"net.exe" AND Target.Process.CommandLine:("stop \"MSSQLSERVER\"")

The following query will identify Process creation events for reg.exe being used to add a registry key to create or register a new file extension handler for the ‘.enc’ file extension. There are not expected to be false positives associated with this rule except potentially during the installation of new software that attempts to use legitimate enc files. This is non-standard for Windows environments and can be easily tuned out once observed.

Type:"Process Creation" AND Target.Process.Name:"reg.exe" AND Target.Process.CommandLine:("add HKCR\\.enc" OR "add HKCR\enc\shell\open\command")

MITRE ATT&CK

TA0040 – Impact

IOCs

[1] https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizatio...