Prestige ransomware attacks against Ukraine and Poland have been conducted by Russian hacking group Iridium, which has overlapped with the Sandworm threat operation, according to The Record, a news site by cybersecurity firm Recorded Future.
Iridium "has been consistently active in the war in Ukraine and has been linked to destructive attacks since the start of the war," said researchers from the Microsoft Security Threat Intelligence Center, who were able to attribute the Prestige ransomware attacks to the group based on attack infrastructure and forensic artifacts suggesting victimization of multiple organizations as early as March.
The report also showed that Iridium leveraged two remote code execution tools prior to ransomware deployment. The group has also been observed to shift attacks toward organizations providing humanitarian or military aid to Ukraine.
"More broadly, it may represent an increased risk to organizations in Eastern Europe that may be considered by the Russian state to be providing support relating to the war," MSTIC researchers added.