Microsoft recently warned its over 100,000 followers about the emergence of a new human-operated Java-based ransomware that has been involved in targeted attacks in the US, India and Iran.

PonyFinal, the name of this malware, is an example of human-operated ransomware which is gaining currency as an instrument to attack individuals. In this type of attack, attackers use credential thefts and lateral movements to acquire more knowledge about an individual. The strategy and payload are chosen based on the target environment. Once the environment is understood and identified, the threat actor uses the type of ransomware that aligns the closest to the chosen environment of the target.

How human-operated ransomware is different

What differentiates this mode of attack from automated malware is that it is far more complicated than unsuspecting users being tricked to click on malicious links. In the case of PonyFinal and other similar human-operated ransomware, there are attackers on the other side, continuously monitoring and gathering intelligence on injecting ransomware into the target’s system.

PonyFinal attacks can happen through brute-force attacks where attackers gain access through the target’s systems management server. Elaborating further, Microsoft stated, through tweets, “They deploy a VBScript to run a PowerShell reverse shell to perform data dumps. They also deploy a remote manipulator system to bypass event logging”.

The other attack approach involves the deployment of a Java Runtime Environment (JRE) which enables the launch of the Java-based PonyFinal ransomware. According to Microsoft, the evidence suggested that the attackers used information stolen from system management servers to target endpoints with JRE already installed.

PonyFinal: How it works

Experts suggest that the PonyFinal ransomware campaign has been involved in highly targeted attacks on targets in the US, India and Israel and is likely the work of an advanced cybercrime group. It has also capitalized on the ongoing COVID-19 pandemic by repeatedly targeting the healthcare sector.

PonyFinal uses a secure encryption scheme with encrypted files that have an .enc extension and a simple text file acting as a ransom note. Experts warn that it may be unlikely that encrypted files can be recovered, making it a dangerous threat.

All Internet-facing assets must be secured

To protect against PonyFinal and other similar types of human-operated ransomware, enterprises need to stay vigilant. The key is to secure all Internet-facing assets and monitor for brute-force activity which could indicate that a reconnaissance operation is in progress.

IT administrators must ensure that their systems and all applications have the latest patches and are running on the latest operating software. Admin accounts should specifically have extremely strong passwords with few users having access to these accounts. It’s also important to monitor authentication attempts – a large number of attempted log-ins to an admin account could very well indicate a brute-force attack.

To gain essential security for every connected endpoint, enterprises can consider Seqrite Endpoint Security (EPS). It’s a simple and powerful platform that integrates advanced features like Anti-Ransomware, Advanced Device Control, Behavioral Detection System, and Data Loss Prevention (DLP) for easy usage. Powered by GoDeep.AI, EPS uses Seqrite’s behaviour-based detection technology to scan for and block ransomware threats while also backing up data in a secure location.