Prestige Ransomware

The Prestige Ransomware is a threatening tool used by cybercriminals to lock the data of their victims. This particular attack campaign has been primarily focused on targets in Ukraine and Poland. Furthermore, the threat actors deliver info-stealing malware before dropping the Prestige Ransomware via PowerShell, the Windows Scheduled Task utility or the Default Domain Group Policy Object. To perform its encryption routine, the threat needs to have administrative privileges. It also attempts to stop the MSSQL Windows service, as a way to ensure successful encryption.

Once it has been activated, Prestige will scan the infected system and lock documents, PDFs, images, photos, archives, databases and more. Each encrypted file will have '.enc' attached to its name as a new extension. Victims will be left with a ransom note contained inside a file named 'README.'

The instructions provide very little useful information. The attackers simply state that victims must contact them by sending a message to the 'Prestige.ranusomeware@Proton.me' email address to get additional details on how to obtain a decryption tool from them. The ransom note ends with two warnings about not trying to decrypt the data with third-party software or renaming them as it may cause permanent damage to the files.

The full text of Prestige Ransomware's note is:

'YOU PERSONAL FILES HAVE BEEN ENCRYPTED.

To decrypt all the data, you will need to purchase our decryption software.
Contact us Prestige.ranusomeware@Proton.me. In the letter, type your ID = .

ATTENTION *

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Do not modify or rename encrypted files. You will lose them.'