Microsoft Warns of New Ransomware: PonyFinal

Microsoft has warned organizations globally about a new type of data stealing Java-based ransomware dubbed “PonyFinal”. The malware is human-operated ransomware, which is distributed in an automated way by attackers.

This ransomware is manually propagated by the threat actors. According to experts, PonyFinal uses a secure encryption scheme and encrypted files cannot be recovered in any way.

This ransomware is involved in highly targeted attacks against targets in the U.S., India, and Iran. It has been repeatedly targeting the healthcare sector during the COVID-19 pandemic.

How Ponyfinal Attacks?

According to Microsoft’s security intelligence team, PonyFinal ransomware encrypts files at a particular date and time by encrypting the files with .enc extension. The ransom note is a simple text file which gain access to a targeted organization via brute force attacks against the systems management server. It then deploys a VBScript to run a PowerShell reverse shell to perform data dumps and a remote manipulator system to bypass event logging.

The ransomware is delivered through an MSI file that contains two batch files and the ransomware payload. UVNC_Install.bat creates a scheduled task named “Java Updater” and calls RunTask.bat, which runs the payload, PonyFinal.JAR.

In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed.

Java-based ransomware are not exceptional, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered. These attacks are not only targeted toward essential services, but they are being conducted on an enterprise level. 

Recommendations

It is recommended to consider the following best practices:

  • Organizations are suggested to stay vigilant and take immediate action to investigate and remediate ransomware attacks.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Organizations should continue to enforce proven solutions such as credential hygiene, minimal privileges and host firewalls to spoil these attacks.
  • Do check for exposed credentials, additional payloads and lateral movement before you rebuild affected endpoints or reset passwords.
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.