Microsoft warns about ongoing PonyFinal ransomware attacks

Microsoft is warning organizations to deploy protections against a new strain of PonyFinal ransomware that has been in the wild over the past two months.

Microsoft’s security team issued a series of tweets warning organizations to deploy protections against a new piece of ransomware dubbed PonyFinal that has been in the wild over the past two months.

PonyFinal is Java-based ransomware that is manually distributed by threat actors. The ransomware first appeared in the threat landscape earlier this year and was involved in highly targeted attacks against selected targets, mainly in India, Iran, and the US.

PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware are not unheard of, they’re not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered. pic.twitter.com/Q3BMs7fSvx— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload. Learn how to build organizational security hygiene to prevent human-operated attacks: https://t.co/Y7IdIw4b2p— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Most infamous human-operated ransomware campaigns include Sodinokibi, Samas, Bitpaymer, and Ryuk.

PonyFinal operators initially target organizations’ systems management server via brute force attacks, then they deploy a VBScript to run a PowerShell reverse shell to perform data dumps. Threat actors also use a remote manipulator system to bypass event logging.

In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed.— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020Once the PonyFinal attackers gained access to the target’s network, they will move laterally to infect other systems with the ransomware.

In many cases, attackers targeted workstations running the Java Runtime Environment (JRE) because the PonyFinal is written in Java, but is some attacked the gang installed JRE on systems before deploying the ransomware.

The PonyFinal ransomware usually adds the “.enc” extension to the names of the encrypted files, it drops a ransom note (named README_files.txt) on the infected systems. The ransom note contains the payment instructions.

Experts pointed out that the encryption scheme of the PonyFinal ransomware is secure and there is no way at the time to recover encrypted files.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Other threat are NetWalker, Maze, REvil, RagnarLocker, and LockBit.

The post Microsoft warns about ongoing PonyFinal ransomware attacks appeared first on Security Affairs.