Microsoft warns about attacks with the PonyFinal ransomware

PonyFinal infections have been reported in India, Iran, and the US.

Microsoft raises alarm over new PonyFinal ransomware hitting health services

Microsoft's security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months.

"PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks," Microsoft said in a series of tweets published today.

Human-operated ransomware is a subsection of the ransomware category. In human-operated ransomware attacks, hackers breach corporate networks and deploy the ransomware themselves.

This is in opposition to classic ransomware attacks that have been seen in the past, such as ransomware distributed via email spam or exploit kits, where the infection process relies on tricking the users in launching the payload.

How PonyFinal operates

Microsoft says it's been tracking incidents where the PonyFinal ransomware has been deployed.

The intrusion point is usually an account on a company's systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords.

Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy "a remote manipulator system to bypass event logging."

Once the PonyFinal gang has a firm grasp on the target's network, they then spread to other local systems and deploy the actual PonyFinal ransomware.

In most cases, attackers target workstations where the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft says it also has seen instances where the gang installed JRE on systems before running the ransomware.

ponyfinal-scheme.jpg

image: Microsoft

Microsoft says that files encrypted with the PonyFinal ransomware usually have an additional ".enc" file extension added to the end of each encrypted file.

The ransom note is usually named README_files.txt, and is usually a simple text file containing ransom payment instructions -- portayed below courtesy of Andrew Ivanov (PonyFinal indicators of compromise are also available on Ivanov's blog).

ponyfinal-ransom.png

Image: Andrew Ivanov

The ransomware's encryption scheme is considered secure and there is no known way or free decrypter that can recover encrypted files -- at least, at the time of writing.

Known victims in India, Iran, and the US

According to Michael Gillespie and MalwareHunterTeam, two of the individuals behind the ransomware identification portal ID-Ransomware, the PonyFinal ransomware first emerged earlier this year and has made very few victims -- which confirms its use in targeted attacks against carefully selected targets.

Gillespie, a malware researcher at Emsisoft, says all the users who uploaded samples on the ID-Ransomware website for identification have been located in India, Iran, and the US, in order of prevalence.

ponyfinal-idr.png

PonyFinal uploads on the ID-Ransomware portal

Image: Michael Gillespie, MalwareHunterTeam

According to Microsoft, PonyFinal is one of the several human-operated ransomware strains that have repeatedly targeted the healthcare sector during the coronavirus (COVID-19) pandemic.

The list also includes RobbinHood, NetWalker, Maze, REvil (Sodinokibi), Paradise, RagnarLocker, MedusaLocker, and LockBit.