PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time

Microsoft has warned on a new breed of patient ransomware attacks that lurk in networks for weeks before striking.

A Java-based ransomware known as PonyFinal has galloped onto the scene, targeting enterprise systems management servers as an initial infection vector.

According to a warning on Twitter from Microsoft Security Intelligence on Wednesday, PonyFinal is not an automated threat, but rather has humans pulling the reins. It exfiltrates information about infected environments, spreads laterally and then waits before striking — the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely.

Encryption is carried out by appending files with a “.enc” file name extension; the ransom note meanwhile is a simple text file, researchers said.

While it’s notable that the threat is Java-based (a rarer breed than most, according to Microsoft), researchers noted that the most interesting thing about the ransomware is how it’s delivered.

“PonyFinal attackers have been seen gaining access through brute-force attacks against a target company’s systems management server,” they tweeted. “They deploy a VBScript to run a PowerShell reverse shell to perform data dumps. They also deploy a remote manipulator system to bypass event logging.”

The malware requires Java Runtime Environment (JRE) in order to run. So, the attackers either deploy it into environments if needed, or in some cases, it appears that they use the data that the malware initially collects — stolen from the systems management server — to identify and go after endpoints with JRE already installed.

As for the infection routine, “The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” researchers explained. “UVNC_Install.bat creates a scheduled task named ‘Java Updater’ and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”

PonyFinal is part of an ongoing set of ransomware campaigns that tend to stay dormant and wait for the best time to execute for the most financial gain, Microsoft said. Last month, the tech giant warned that it had discovered that multiple ransomware groups had been accumulating network access and maintaining persistence on target networks for several months, biding their time. This was discovered after dozens of deployments suddenly went live all at once in the first two weeks of April.

Incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks had occurred earlier.

“Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks,” according to Microsoft.

Like PonyFinal and its brute-force attacks on servers, most of the campaigns started by exploiting vulnerable internet-facing network devices or servers.

“They all used the same techniques observed in human-operated ransomware campaigns: Credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice.”

Thwarting such attacks requires basic security hygiene – avoiding weak passwords on internet-facing assets, for instance – and also, Microsoft suggested looking for signs of advance efforts such as credential theft and lateral movement activities. And as always, maintaining backups in the event of ransomware deploying is a good idea.

The phenomenon is ongoing, according to the firm. “So far, the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding,” researchers said. “These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.”

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.



Suggested articles