PonyFinal – A Java-Based Ransomware Attack Enterprise Network Servers to Lock The Sensitive Data

Recently, the security team at Microsoft has issued a warning notice to the organizations around the world to implement all the necessary protection against a new variety of ransomware, PonyFinal, that has been around for the past two months.

Microsoft Security Intelligence has clarified that PonyFinal is a new variety of ransomware, and it’s not an automated threat, as it’s a manually controlled ransomware.

In short, in this type of human-operated ransomware attacks, the attackers hit the corporate networks to deploy the ransomware themselves.

Here’s what Microsoft said in a series of tweets, “PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware are not unheard of, they’re not as common as other threat file types.”

According to the security experts, PonyFinal ransomware is developed in the Java programming language, and currently, it cannot penetrate the corporate networks itself, and it requires the manual installation by hackers. 

Apart from this, the security experts at Microsoft have also recommended all the organizations to focus on how this ransomware, PonyFinal is delivered. Many organizations have reported that they have suffered attacks from PonyFinal ransomware over the past two months.

In this case, the attacks are made mostly in India, Iran, and the USA; here, the attackers download it most often in the network of medical organizations, along with the other sophisticated malware.

How PonyFinal Ransomware Operates

Here the entry point is normally an account on a company’s systems management server, and this is the point that attackers use the PonyFinal ransomware to execute the brute force attacks to guess the weak passwords used by the people of the organization that was attacked.

PonyFinal encrypts the files and then name the original encrypted version of files with the same name used by the victim, but with the extension “.enc.” Once, the PonyFinal encrypts the files on the infected system, there are no ways to decrypt such files without knowing the decryption key.

Not only that, even, the attackers also put a README_files.txt file on the server to describe and guide the victim about the ransom and payment procedures.

Microsoft wrote that the Trojan is downloaded manually by the attackers, and they choose the organizations deliberately, select passwords, and gain access to the PowerShell command interface. Through which they extract all the information about infected environments and spreads alongside.

After gaining access to the PowerShell command interface with elevated privileges, the attackers install PonyFinal on the directly attacked and connected servers. In most cases, the attackers target the servers where the Java Runtime Environment (JRE) is installed. 

But, according to Microsoft, there are some cases where the attackers have installed Java Runtime Environment (JRE) on the systems before running the ransomware.

However, Microsoft has strongly recommended all the organizations around the world to stay alert and keep their systems up to date to remain protected.

So, what do you think about this? Share all your views and thoughts in the comment section below.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Russian Government Hackers Actively Exploit Exim Mail Server Flaw Since 2019

New Android Bug Strandhogg 2.0 Affects all Devices Running Android 9.0 and Earlier

Hackers and Security Researchers Accessed an Entire Version of Leaked iOS 14 OS Before Official Release

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.