Microsoft’s security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months.
“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,”.
Human-operated ransomware is a subsection of the ransomware category. In human-operated ransomware attacks, hackers breach corporate networks and deploy the ransomware themselves.null
This is in opposition to classic ransomware attacks that have been seen in the past, such as ransomware distributed via email spam or exploit kits, where the infection process relies on tricking the users in launching the payload.
HOW PONYFINAL OPERATES
Microsoft says it’s been tracking incidents where the PonyFinal ransomware has been deployed.
The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords.
Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging.”
Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware.
In most cases, attackers target workstations where the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft says it also has seen instances where the gang installed JRE on systems before running the ransomware.image: Microsoftnull
Microsoft says that files encrypted with the PonyFinal ransomware usually have an additional “.enc” file extension added to the end of each encrypted file.