Industry News

Microsoft warns of PonyFinal ransomware attacks

Microsoft warns of PonyFinal ransomware attacks

Malware experts at Microsoft have warned businesses to be on their guard against hackers plotting to plant the PonyFinal ransomware on compromised IT systems.

Attacks incorporating the Java-based PonyFinal ransomware have been seen in the wild since the beginning of April, with reports coming in from India, Iran, and the United States.

What makes the PonyFinal ransomware particularly effective is that the hackers behind attacks spend time researching their intended victims and creating a plan for how best to maximise the ransom they might be able to extract.

In a series of tweets, Microsoft’s security intelligence team stressed that it’s more important for organisations to focus on the way in which the attack is delivered than the malicious payload.

And there’s definitely some truth in that. Much of the media attention on ransomware attacks focuses on companies being locked out of their encrypted data, and the dilemma as to whether they should pay the ransom or not.

What is perhaps more useful to IT security teams is to place more emphasis upon how an attack begins in the first place, and what methods are being used by a hacking gang to plant ransomware on the company’s computer systems.

After all, if an attack can be made to stumble at the first hurdle, your company hopefully won’t ever have to deal with the nightmare scenario of how to recover their encrypted data.

According to the researchers, hackers have gained access to potential victims by brute-forcing their way into company servers, compromising internet-facing web systems and obtaining privileged credentials.

Common vectors for initial infection can include brute force of RDP, vulnerable internet-facing systems, and weak application settings.

In some instances, the attackers have deployed Java Runtime Environment (JRE), which PonyFinal needs to run. However, stealthier attacks have also been seen where attackers have taken advantage of the existence of a JRE installation already existing on an endpoint computer.

Phillip Misner, security program manager at Microsoft, told Dark Reading that the criminals behind the PonyFinal attacks were moulding their attacks for specific targets.

“Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization. These are attackers with the ability to choose multiple payloads and who spend their time doing research to see how they can extract the most money from the compromises they do.”

Don’t become the next victim. Take steps inside your company to reduce the chances of a ransomware attack succeeding.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.