Microsoft alerted all its users to stay vigilant with regard to PonyFinal ransomware attacks. Since the ransomware attacks are active in the wild, Microsoft has urged users to pay attention to its deployment.
PonyFinal Ransomware Attacks
In a series of tweets, Microsoft Security Intelligence has shared details about a new ransomware.
Dubbed PonyFinal, this ransomware is somewhat different as it bases on Java.
As explained by Microsoft, the attackers gain access to the target firm’s system via brute force. They then deploy components to execute the attack. As stated,
They deploy a VBScript to run a PowerShell reverse shell to perform data dumps. They also deploy a remote manipulator system to bypass event logging.
In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run.
Though, Microsoft suggested that the attackers may also target the endpoints with pre-installed JRE by using stolen details.
Finally, an MSI file delivers the payload ransomware.
The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload. UVNC_Install.bat creates a scheduled task named "Java Updater" and calls RunTask.bat, which runs the payload, PonyFinal.JAR.
— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020
Another distinction of this ransomware is that it has human operators at its back. It means the attackers specifically deploy this ransomware after breaching the target networks.
PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload. Learn how to build organizational security hygiene to prevent human-operated attacks: https://t.co/Y7IdIw4b2p
— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020
The following image depicts a PonyFinal ransomware attack scenario.
Upon breaching the target network, the attackers do not start taking over the system randomly. Rather they wait for the right time and then encrypt files at a specified time. The ransomware then adds a .enc extension to the file names and places a ransom note in the text file.
Active Attacks Detected In The Wild
Reportedly, the PonyFinal campaigns are active in the wild with the first detection dating back to April 2020. According to ZDNet, the campaigns have predominantly targeted India, Iran, and the USA.
PonyFinal isn’t the first ransomware with human operators. Earlier, Bitpaymer, Ryuk, REvil (or Sodinobiki), have also targeted various organizations.
Sharing the details with DarkReading, Phillip Misner, Research Director, Microsoft Threat Protection, stated,
Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization…
These attackers are looking for targets of opportunity.
Therefore, all organizations must double-check the security status of their IT infrastructure to prevent any mishaps.
Let us know your thoughts in the comments.