Microsoft warns about attacks with the Java-based PonyFinal ransomware which steals files
Ransomware has become the go-to tool for cybercriminals post the coronavirus pandemic. It is an effortless and efficient way of making illegal profits. Ever since big ransomware makers like REvil, CLOP, and Maze entered the scene, the ransomware-as-a-service has been corporatized.
Ransomware operators no longer just rely on encrypting the victim’s hard drive or servers in exchange for a decrypting key. With the entry of these top malware families, the Ransomware operators have changed their revenue models. They now use the data stolen from the victims as a bargaining chip to extort double ransom. Once for decrypting key and once for not leaking the stolen data. This occurrence has been seen ransomware attacks on LG Electronics and Indiabulls group. These ransomware operators even have their own website on the dark web where they issue press releases, notices to the victims, and leak data.
Now we have a new Java-based ransomware called PonyFinal. The primary objective of this malware according to Panda Security is stealing files for extortion. The PonyFinal ransomware was first noticed Microsoft security team in May 2020 and they tweeted about it.
PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware are not unheard of, they’re not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered. pic.twitter.com/Q3BMs7fSvx
— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020
How does PonyFinal Ransomware work?
To gain entry to its victim’s system, the PonyFinal operators carry out a brute force attack against Microsoft Systems Management Server (SMS). Once, they gain entry, they deploy a VBScript to run a PowerShell reverse shell and steal data from the server to their command and control server. In addition, the PonyFinal ransomware operators also launch a remote manipulator system to bypass event logging.
If the server doesn’t support Java, the operators launch the Java Runtime Environment (JRE) which is needed to run the PonyFinal malware. In cases where the server already has JRE installed, the operators use information stolen from SMS to be able to target endpoints This means that companies that already have JRE installed may be blind to this attack.
PonyFinal is delivered through an MSI file, which contains two batch files and the ransomware payload. UVNC_Install.bat creates a scheduled task called “Java Updater”, and calls RunTask.bat, which executes the payload, PonyFinal.JAR.
How does PonyFinal ransomware execute itself?
Once the PonyFinal.Jar has been implanted into the victim’s system, the operators wait for a long time to manually execute the malware. Microsoft says that like other similar manually operated ransomware, the PonyFonal operators bide their time, waiting for the most opportune moment to deploy the payload.
Once they decide to execute the malware, the ransomware encrypts the victim’s file with an additional “.enc” file extension added to the end of each encrypted file. The ransom note is usually named README_files.txt and is usually a simple text file containing ransom payment instructions.
At present, the PonyFinal ransomware victims don’t have any other fix than to reduce the attack surface. Microsoft has recommended that organizations reduce the attack surface by ensuring that all Internet-facing assets are updated with the relevant patches. This is particularly important for VPNs and other remote access tools, which have been used more than ever during the pandemic. It is also vital to carry out frequent audits for misconfigurations and vulnerabilities.
Security researchers are working on the decryptor for PonyFinal but it is useless considering the malware operators use the stolen data to extort money. Microsoft says that hospitals and healthcare industries in India, U.S., Brazil are particularly vulnerable to PonyFinal ransomware.