PonyFinal Has a New Twist on Ransomware
Last week, Microsoft’s security team issued an advisory to organizations around the world to use protection against a new form of ransomware that has been circulating for about two months. PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. Human-operated ransomware is a subsection of the ransomware category.
Through these attacks, hackers breach corporate networks and deploy the ransomware themselves. Traditional ransomware attacks are distributed through email or exploit kits, where the infection process relies on fooling the users into launching the payload.
For this type of attack, the intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords. Once inside, the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy a remote manipulator system to bypass event logging.
Once the PonyFinal gang has a grasp on the target’s network, they then spread to other local systems and deploy the actual ransomware.
Microsoft says files encrypted with the PonyFinal ransomware usually have an additional “.enc” file extension added to the end of each encrypted file. The ransom note is typically a text file named README_files.txt containing ransom payment instructions.
So far, victims have been primarily in the healthcare sector and in the U.S., Iran and India.
Now that you know about the PonyFail ransomware software, you can avoid becoming the next victim. 2W Tech can ensure you get the right solutions implemented to protect your Microsoft 365 from ransomware attacks and other outside threats. We are a technology service provider specializing in manufacturing solutions, as well as a Microsoft Gold Partner. Give us a call today to get started.