Microsoft alerted all its users to stay vigilant with regard to PonyFinal ransomware attacks. Since the ransomware attacks are active in the wild, Microsoft has urged users to pay attention to its deployment.
In a series of tweets, Microsoft Security Intelligence has shared details about a new ransomware.
Dubbed PonyFinal, this ransomware is somewhat different as it bases on Java.
As explained by Microsoft, the attackers gain access to the target firm’s system via brute force. They then deploy components to execute the attack. As stated,
Though, Microsoft suggested that the attackers may also target the endpoints with pre-installed JRE by using stolen details.
Finally, an MSI file delivers the payload ransomware.
Another distinction of this ransomware is that it has human operators at its back. It means the attackers specifically deploy this ransomware after breaching the target networks.
The following image depicts a PonyFinal ransomware attack scenario.
Upon breaching the target network, the attackers do not start taking over the system randomly. Rather they wait for the right time and then encrypt files at a specified time. The ransomware then adds a .enc extension to the file names and places a ransom note in the text file.
Reportedly, the PonyFinal campaigns are active in the wild with the first detection dating back to April 2020. According to ZDNet, the campaigns have predominantly targeted India, Iran, and the USA.