Microsoft Warns Of PonyFinal Ransomware Attacks Active In The Wild

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

Microsoft alerted all its users to stay vigilant with regard to PonyFinal ransomware attacks. Since the ransomware attacks are active in the wild, Microsoft has urged users to pay attention to its deployment.

PonyFinal Ransomware Attacks

In a series of tweets, Microsoft Security Intelligence has shared details about a new ransomware.

Dubbed PonyFinal, this ransomware is somewhat different as it bases on Java.

As explained by Microsoft, the attackers gain access to the target firm’s system via brute force. They then deploy components to execute the attack. As stated,

They deploy a VBScript to run a PowerShell reverse shell to perform data dumps. They also deploy a remote manipulator system to bypass event logging.
In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run.

Though, Microsoft suggested that the attackers may also target the endpoints with pre-installed JRE by using stolen details.

Finally, an MSI file delivers the payload ransomware.

Another distinction of this ransomware is that it has human operators at its back. It means the attackers specifically deploy this ransomware after breaching the target networks.

The following image depicts a PonyFinal ransomware attack scenario.

PonyFinal ransomware attack
Source: Microsoft

Upon breaching the target network, the attackers do not start taking over the system randomly. Rather they wait for the right time and then encrypt files at a specified time. The ransomware then adds a .enc extension to the file names and places a ransom note in the text file.

Active Attacks Detected In The Wild

Reportedly, the PonyFinal campaigns are active in the wild with the first detection dating back to April 2020. According to ZDNet, the campaigns have predominantly targeted India, Iran, and the USA.

PonyFinal isn’t the first ransomware with human operators. Earlier, Bitpaymer, Ryuk, REvil (or Sodinobiki), have also targeted various organizations.

Sharing the details with DarkReading, Phillip Misner, Research Director, Microsoft Threat Protection, stated,

Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization…
These attackers are looking for targets of opportunity.

Therefore, all organizations must double-check the security status of their IT infrastructure to prevent any mishaps.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!