Prestige
Prestige is a Windows ransomware family publicly linked in the provided content to Sandworm Team/Seashell Blizzard activity in 2022, including attacks affecting organizations in Ukraine and Poland. The content also characterizes it as part of Sandworm’s broader destructive or pseudo-ransomware operations. Prestige has been executed on target systems through a scheduled task created by Sandworm using Impacket. It can use PowerShell for payload execution. On infected systems, Prestige leverages the CryptoPP C++ library to encrypt files with AES and appends the .enc extension to encrypted files. It impairs recovery by deleting the Windows backup catalog via c:\Windows\System32\wbadmin.exe delete catalog -quiet and deleting volume shadow copies via \Windows\System32\vssadmin.exe delete shadows /all /quiet. The content further states that after changing encrypted files to a new extension, Prestige modifies the file association for that extension so files open with Notepad.exe, which is used to display a ransom note. High-confidence behaviors directly mentioned in the content therefore include PowerShell-based execution, scheduled-task execution via Impacket, AES file encryption with .enc extension changes, deletion of backup and shadow-copy recovery artifacts, and file-association hijacking to display the ransom note.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prestige can delete the backup catalog from the target system using: c:\Windows\System32\wbadmin.exe delete catalog -quiet and can also delete volume shadow copies using: \Windows\System32\vssadmin.exe delete shadows /all /quiet.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Persistence
4 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
4 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
Defense Impairment
2 techniques
Defense Impairment
Discovery
1 technique
Discovery
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Impact
3 techniques
Impact
Numerous ransomware/wiper examples enumerate files before encryption, such as "BlackCat can enumerate files for encryption", "NotPetya searches for files ending with dozens of different file extensions prior to encryption", and "WastedLocker can enumerate files and directories just prior to encryption."
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated Analytic Story CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
Ransomware family referenced as an associated analytic story for detection of common ransomware file extensions.
Associated Analytic Story ... Prestige Ransomware
Associated Analytic Story Active Directory Discovery Azorult Prestige Ransomware Windows Post-Exploitation
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.