Microsoft company warned organizations about the danger of the PonyFinal ransomware, whose attacks have already been recorded in India, Iran and the USA.
Malware is based on Java and is used for attacks that manually direct PonyFinal statements. That is, hackers break into corporate networks and manually place ransomware there, and do not distribute the encryptor automatically, through mail spam or exploit kits, as is usually the case.
Microsoft reports that, as a rule, the invasion point is the account on the system management server, where PonyFinal operators invade with the help of brute force attacks and the selection of weak passwords. On the server, hackers deploy a Visual Basic script that runs the PowerShell reverse shell to collect and steal data.
Having penetrated the network of the target company, the attackers spread the infection to other local systems, and then they introduce the PonyFinal ransomware itself. In most cases, hackers attack workstations on which the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft experts note that they also recorded cases where the group independently installed JRE in the victims' systems before starting the encryptor.
Files encrypted using PonyFinal usually have the extension .enc. The PonyFinal encryption scheme is considered reliable, that is, while there are no ways and free tools to decrypt the affected data.
According to information security experts Michael Gillespie and MalwareHunterTeam, the PonyFinal ransomware appeared earlier this year, and so far few companies have suffered from its activity, which only confirms the theory that PonyFinal is used in targeted attacks on carefully selected targets.
Emsisoft specialist Michael Gillespie notes that users who uploaded malvari samples to ID-Ransomware for identification were in India, Iran, and the United States.
According to Microsoft, PonyFinal is on the short list of ransomware managed by live operators. Recently, such malware repeatedly applied against organizations from the health sector, despite the ongoing pandemic of the coronavirus. In addition to PonyFinal, this list includes: RobbinHood, NetWalker, Maze, REvil (Sodinokibi), Paradise, RagnarLocker, MedusaLocker and LockBit.