Microsoft Warns Of PonyFinal Ransomware Attacks Active In The Wild

Microsoft alerted all its users to stay vigilant with regard to PonyFinal ransomware attacks. Since the ransomware attacks are active in the wild, Microsoft has urged users to pay attention to its deployment.

PonyFinal Ransomware Attacks

In a series of tweets, Microsoft Security Intelligence has shared details about a new ransomware.

Dubbed PonyFinal, this ransomware is somewhat different as it bases on Java.

As explained by Microsoft, the attackers gain access to the target firm’s system via brute force. They then deploy components to execute the attack. As stated,

They deploy a VBScript to run a PowerShell reverse shell to perform data dumps. They also deploy a remote manipulator system to bypass event logging.
In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run.

Though, Microsoft suggested that the attackers may also target the endpoints with pre-installed JRE by using stolen details.

Finally, an MSI file delivers the payload ransomware.

Another distinction of this ransomware is that it has human operators at its back. It means the attackers specifically deploy this ransomware after breaching the target networks.

The following image depicts a PonyFinal ransomware attack scenario.

Source: Microsoft

Upon breaching the target network, the attackers do not start taking over the system randomly. Rather they wait for the right time and then encrypt files at a specified time. The ransomware then adds a .enc extension to the file names and places a ransom note in the text file.

Active Attacks Detected In The Wild

Reportedly, the PonyFinal campaigns are active in the wild with the first detection dating back to April 2020. According to ZDNet, the campaigns have predominantly targeted India, Iran, and the USA.

PonyFinal isn’t the first ransomware with human operators. Earlier, Bitpaymer, Ryuk, REvil (or Sodinobiki), have also targeted various organizations.

Sharing the details with DarkReading, Phillip Misner, Research Director, Microsoft Threat Protection, stated,

Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization…
These attackers are looking for targets of opportunity.

Therefore, all organizations must double-check the security status of their IT infrastructure to prevent any mishaps.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients