Microsoft has issued an advisory warning all the organizations to deploy protections against a new strain of ransomware called PonyFinal which has been exploited in the wild for the last two months.
PonyFinal is a Java-based ransomware deployed in human-operated ransomware attacks.
Human-operated ransomware is a subsection of the ransomware category in which the attacks are performed by the hackers by breaching corporate networks and deploying the ransomware themselves.
This is opposed to the typical ransomware attacks such as the ones distributed through email spam or exploit kits, where the infection process depends on fooling the victims to launch the payload.
Microsoft has been tracking incidents where the PonyFinal ransomware were used. The intrusion is through a targeted company’s systems management server account, which is breached by the PonyFinal gang using brute-force attacks.
On getting access, the gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. The ransomware operators also deploy a remote manipulator system to bypass event logging as well.
Once the gang gets hold of the target’s network, they spread to other local systems and deploy the actual PonyFinal ransomware.
Usually, the attackers target workstations in which the Java Runtime Environment (JRE) is installed because PonyFinal is written in Java. Microsoft has also seen instances where the gang installed JRE on systems before running the ransomware.
The files encrypted with the PonyFinal ransomware have an additional “.enc” file extension added to the end of each encrypted file.
The ransom note is usually named README_files.txt, and is a simple text file containing ransom payment instructions.
As of now, there is no free decryptor to recover the encrypted files.
According to Michael Gillespie and MalwareHunterTeam, who are behind the ransomware identification portal ID-Ransomware, the PonyFinal ransomware was first spotted earlier this year and had impacted only few victims.
Gillespie, a malware researcher at Emsisoft, says all the users who uploaded samples on the ID-Ransomware website for identification were from India, Iran, and the US.
Microsoft stated that PonyFinal is one of the numerous human-operated ransomware strains that have repeatedly targeted the healthcare sector during the coronavirus pandemic.