Microsoft warns of PonyFinal ransomware attacks

Malware experts at Microsoft have warned businesses to be on their guard against hackers plotting to plant the PonyFinal ransomware on compromised IT systems.

Attacks incorporating the Java-based PonyFinal ransomware have been seen in the wild since the beginning of April, with reports coming in from India, Iran, and the United States.

What makes the PonyFinal ransomware particularly effective is that the hackers behind attacks spend time researching their intended victims and creating a plan for how best to maximise the ransom they might be able to extract.

In a series of tweets, Microsoft’s security intelligence team stressed that it’s more important for organisations to focus on the way in which the attack is delivered than the malicious payload.

And there’s definitely some truth in that. Much of the media attention on ransomware attacks focuses on companies being locked out of their encrypted data, and the dilemma as to whether they should pay the ransom or not.

What is perhaps more useful to IT security teams is to place more emphasis upon how an attack begins in the first place, and what methods are being used by a hacking gang to plant ransomware on the company’s computer systems.

After all, if an attack can be made to stumble at the first hurdle, your company hopefully won’t ever have to deal with the nightmare scenario of how to recover their encrypted data.

According to the researchers, hackers have gained access to potential victims by brute-forcing their way into company servers, compromising internet-facing web systems and obtaining privileged credentials.

Common vectors for initial infection can include brute force of RDP, vulnerable internet-facing systems, and weak application settings.

In some instances, the attackers have deployed Java Runtime Environment (JRE), which PonyFinal needs to run. However, stealthier attacks have also been seen where attackers have taken advantage of the existence of a JRE installation already existing on an endpoint computer.

Phillip Misner, security program manager at Microsoft, told Dark Reading that the criminals behind the PonyFinal attacks were moulding their attacks for specific targets.

“Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization. These are attackers with the ability to choose multiple payloads and who spend their time doing research to see how they can extract the most money from the compromises they do.”

Don’t become the next victim. Take steps inside your company to reduce the chances of a ransomware attack succeeding.