A new human-operated ransomware, called “PonyFinal”, has been unveiled by Microsoft. The program launches it attack by manually launching a payload and is being used to attack healthcare companies.
The Microsoft security team revealed the new program that uses “brute force” against the target company’s systems management server, and is primarily targeting the healthcare sector during the current pandemic.
A series of tweets from Microsoft described the process of the program, and explained that the hackers would have to break the company’s security scheme in order to deploy the ransomware manually. This means that the program doesn’t trick users into launching the payload through phishing emails or links.
PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware are not unheard of, they’re not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered. pic.twitter.com/Q3BMs7fSvx
— Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020
PonyFinal is Java-based, and operates by deploying a Java Runtime Environment (JRE). Evidence found by Microsoft’s security team showed that information stolen from the systems management server to target endpoints where JRE is already installed. The report by the team also explains how the ransomware is delivered via an MSI file containing two batch files, one of which is the payload that is activated by the attacker. PonyFinal was first detected near the beginning of April.
They also say that there are other ransomware programs being used, including Bitpaymer, Ryuk, Revil, and Samas.
The report also explains that there is no single group that can be traced to the authorship of the program, as there are several hacker groups that are using it.
A threat analyst at malware lab, Emsisoft, Brett Callow, gave some feedback about PonyFinal:
“Human-operated ransomware such as PonyFinal is not unusual and nor is its delivery method which, according to Microsoft, is ‘thru brute force attacks against a target company’s systems management server.’ Attacks on internet-facing servers are not at all unusual and account for a significant percentage of ransomware incidents. But they’re also mostly preventable as such attacks typically only succeed because of a security weakness or vulnerability.”
He says that companies can use a few practices to help lower their risk of being attacked by PonyFinal, including using multi-factor authentication, patching promptly, and disabling PowerShell when possible.
Many ransomware attacks are targeting healthcare companies right now, in the midst of the pandemic. It was reported on march 30th that operators of the Ryuk ransomware were continuing to target hospitals. And on May 7th, hackers reportedly attacked the IT infrastructure of Germany-based Fresenius, he largest private hospital in Europe, with a ransomware called Snake.
It doesn’t seem like anything is sacred if our much-needed healthcare companies are being targeted by these hackers.
For all your ransomware news and more, be sure to check back in here with ScoopHash.
