Revealed: Advanced Java-Based Ransomware PonyFinal
Microsoft has warned of a new type of data stealing Java-based ransomware, dubbed PonyFinal.
PonyFinal is what Microsoft describes as “human-operated ransomware” — to distinguish it from commoditized variants that are distributed in an automated way by hackers.
The tech giant’s Security Intelligence group revealed in a series of tweets this week that the first stage involves access to a targeted organization via brute force attacks against the systems management server.
A VBScript is deployed to run a PowerShell reverse shell which enables data exfiltration to a C&C server over Port 80. The attackers also deploy a remote manipulator system to bypass event logging.
“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft continued.
Thus, if organizations already have JRE on their systems, they may be blind to any attack.
“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” Microsoft continued. “UVNC_Install.bat creates a scheduled task named ‘Java Updater’ and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”
According to Microsoft, PonyFinal encrypts files at a specific date and time and, like similar “human-operated” ransomware attacks, it is likely that those wielding it will bide their time to wait for the most opportune moment to deploy the payload.
In the case of recent attacks on hospitals, that was in early April when many healthcare organizations were battling a peak of COVID-19 admissions.
Microsoft recommends that organizations reduce their attack surface by ensuring internet-facing assets are up-to-date with patches, especially VPNs and other remote access infrastructure, and conducting regular audits of misconfigurations and vulnerabilities.
For PonyFinal in particular it is recommended to scan for brute force activity.