S1058: Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[1]
Analyst context for executives and security teams
Prestige is a Windows ransomware malware entry in ATT&CK, historically reported by MITRE as used by Sandworm Team against transportation and related logistics organizations in Ukraine and Poland. Its decision value is not just “ransomware exists”; it highlights a destructive Windows intrusion pattern where execution, policy abuse, registry changes, service disruption, recovery inhibition, and data encryption can converge quickly into business interruption.
Executive priority
Treat this as a resilience and incident-readiness reference case for Windows-heavy environments, especially where logistics, transportation, or operational continuity are material. Leaders should ask whether teams can prove coverage for the behaviors linked to Prestige: scheduled task execution, PowerShell use, registry modification, Group Policy modification, service stopping, recovery inhibition, and encryption activity. The priority is validating evidence and response authority before an incident, not assuming ransomware prevention alone will be sufficient.
Technical view
ATT&CK provides no dedicated detection text for Prestige, so SOC and IR teams should validate around the related techniques: T1053.005 Scheduled Task, T1059.001 PowerShell, T1083 File and Directory Discovery, T1106 Native API, T1112 Modify Registry, T1484.001 Group Policy Modification, T1486 Data Encrypted for Impact, T1489 Service Stop, and T1490 Inhibit System Recovery. Focus on Windows endpoint and Active Directory control-plane visibility, especially task creation or execution, PowerShell command/script activity, registry changes, GPO/SYSVOL changes, service stop events, recovery-control tampering, and file encryption indicators.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script block or module logging where available
- Windows Task Scheduler creation, modification, and execution events
- Registry modification telemetry
- Active Directory Group Policy and SYSVOL change auditing
Detection direction
- Because ATT&CK does not provide Prestige-specific detection guidance, build detections from the related behaviors rather than malware name alone.
- Correlate scheduled task, PowerShell, registry, and GPO changes with privileged account context and unusual timing or scope.
- Tune carefully for administrative false positives: task scheduling, PowerShell, registry edits, and GPO changes are common legitimate operations, so detections need baselines and change-management context.
- Prioritize high-confidence chains: discovery followed by policy or registry modification, service stopping, recovery inhibition, and rapid file modification is more material than any single event alone.
- Validate telemetry retention and centralization before relying on incident reconstruction, especially for domain controller, endpoint, and backup/recovery evidence.
Mitigation priorities
- Harden and monitor privileged access paths that can modify Group Policy, registry settings, services, and scheduled tasks.
- Restrict and audit administrative scripting and task scheduling capabilities on Windows systems consistent with operational needs.
- Protect recovery mechanisms and backups from routine administrative compromise; validate that recovery evidence and restore paths remain available during a Windows ransomware scenario.
- Establish incident response playbooks for service disruption, GPO rollback, recovery inhibition, and encryption events.
- Use ATT&CK relationships to drive control validation exercises rather than relying only on signature-based malware coverage.
Analyst notes and limits
The supplied ATT&CK object identifies Prestige as Windows ransomware and links it to Sandworm Team usage and multiple ATT&CK techniques. The strongest defensive value comes from validating behavior-level telemetry and response readiness across Windows endpoints, Active Directory policy administration, and recovery controls.
No official ATT&CK detection text, aliases, labels, or malware-specific tactics were supplied for Prestige. The assessment should not be read as proof of current activity, customer exposure, or detection coverage. Local environment baselines, logging configuration, identity architecture, and backup design are required to determine actual risk and coverage.
Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Prestige has been deployed using the Default Domain Group Policy Object from an Active Directory Domain Controller.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1489 | Service Stop | Prestige has attempted to stop the MSSQL Windows service to ensure successful encryption using `C:\Windows\System32\net.exe stop MSSQLSERVER`.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with `.enc`.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1490 | Inhibit System Recovery | Prestige can delete the backup catalog from the target system using: `c:\Windows\System32\wbadmin.exe delete catalog -quiet` and can also delete volume shadow copies using: `\Windows\System32\vssadmin.exe delete shadows /all /quiet`.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1112 | Modify Registry | Prestige has the ability to register new registry keys for a new extension handler via `HKCR\.enc` and `HKCR\enc\shell\open\command`.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1106 | Native API | Prestige has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Prestige can use PowerShell for payload execution on targeted systems.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1083 | File and Directory Discovery | Prestige can traverse the file system to discover files to encrypt by identifying specific extensions defined in a hardcoded list.CitationMicrosoft Prestige ransomware October 2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21f3ff63ffec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Prestige ransomware October 2022
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
Open source URL -
[2]
mitre-attack S1058Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.