Microsoft has warned organizations globally about a new type of data stealing Java-based ransomware dubbed “PonyFinal”. The tech giant described the malware as human-operated ransomware, which is distributed in an automated way by attackers. “PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks.
While Java-based ransomware are not unheard of, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered,” Microsoft said in a post.
How Ponyfinal Attacks
According to Microsoft’s security intelligence team, PonyFinal ransomware encrypts files at a particular date and time by encrypting the files with .enc extension. The ransom note is a simple text filewhich gain access to a targeted organization via brute force attacks against the systems management server. It then deploys a VBScript to run a PowerShell reverse shell to perform data dumps and a remote manipulator system to bypass event logging.
“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload. UVNC_Install.bat creates a scheduled task named “Java Updater” and calls RunTask.bat, which runs the payload, PonyFinal.JAR. In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft added.
Building Pro-Active Security Helps Preventing Ransomware Attacks
According to the Microsoft Threat Protection Intelligence Team, cybercriminals have been using the ongoing COVID-19 outbreak to gain information from organizations to plan future attacks. The team said that they have observed multiple hacking groups activating dozens of ransomware deployments in the first two weeks of April 2020. Threat actors have reinvented their attack approaches during the. “These attacks can even be fatal, given their impact on aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers. However, despite this global crisis, ransomware groups seem to give little regard to the critical services they impact,” Microsoft said in a post.