PonyFinal infections have been reported in India, Iran, and the US.
By Catalin Cimpanu for Zero Day
Microsoft’s security team has issued an advisory today warning organisations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months.
“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,” Microsoft said in a series of tweets published today.
Human-operated ransomware is a subsection of the ransomware category. In human-operated ransomware attacks, hackers breach corporate networks and deploy the ransomware themselves.
This is in opposition to classic ransomware attacks that have been seen in the past, such as ransomware distributed via email spam or exploit kits, where the infection process relies on tricking the users in launching the payload.
How PonyFinal operates
Microsoft says it’s been tracking incidents where the PonyFinal ransomware has been deployed.
The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords.
Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging.”
Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware.
In most cases, attackers target workstations where the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft says it also has seen instances where the gang installed JRE on systems before running the ransomware.