Microsoft warns about ongoing PonyFinal ransomware attacks

Microsoft is warning organizations to deploy protections against a new strain of PonyFinal ransomware that has been in the wild over the past two months.

Microsoft’s security team issued a series of tweets warning organizations to deploy protections against a new piece of ransomware dubbed PonyFinal that has been in the wild over the past two months.

PonyFinal is Java-based ransomware that is manually distributed by threat actors. The ransomware first appeared in the threat landscape earlier this year and was involved in highly targeted attacks against selected targets, mainly in India, Iran, and the US.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Most infamous human-operated ransomware campaigns include Sodinokibi, Samas, Bitpaymer, and Ryuk.

PonyFinal operators initially target organizations’ systems management server via brute force attacks, then they deploy a VBScript to run a PowerShell reverse shell to perform data dumps. Threat actors also use a remote manipulator system to bypass event logging.

Once the PonyFinal attackers gained access to the target’s network, they will move laterally to infect other systems with the ransomware.

In many cases, attackers targeted workstations running the Java Runtime Environment (JRE) because the PonyFinal is written in Java, but is some attacked the gang installed JRE on systems before deploying the ransomware.

The PonyFinal ransomware usually adds the “.enc” extension to the names of the encrypted files, it drops a ransom note (named README_files.txt) on the infected systems. The ransom note contains the payment instructions.

Experts pointed out that the encryption scheme of the PonyFinal ransomware is secure and there is no way at the time to recover encrypted files.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Other threat are NetWalker, Maze, REvil, RagnarLocker, and LockBit.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Ponyfinal ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.