Microsoft has revealed a new human-operated ransomware called “PonyFinal” that uses “brute force” against a target company’s systems management server and mainly has targeted the healthcare sector amidst the COVID-19 crisis.
On May 27, it has been reported by a series of tweets published by the tech giant that PonyFinal requires hackers to break the security scheme of corporate networks in order to deploy the ransomware manually, as PonyFinal doesn’t rely on tricking the users into launching the payload through phishing links or e-mails.
PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks. While Java-based ransomware are not unheard of, they’re not as common as other threat file types. However, organizations should focus less on this payload and more on how it’s delivered. pic.twitter.com/Q3BMs7fSvx — Microsoft Security Intelligence (@MsftSecIntel) May 27, 2020
However, the Java-based PonyFinal deploys a Java Runtime Environment (JRE). The evidence found by Microsoft shows that attackers use information stolen from the systems management server to target endpoints where JRE is already installed.
Further, the report states that the ransomware is delivered through an MSI file, which contains two batch files, including the payload that will be activated by the attacker.
Phillip Misner, the Research Director of Microsoft Threat Protection, clarified that there are other human-operated ransomware campaigns such as:
Bitpaymer
Ryuk
Revil
Samas
PonyFinal was first detected at the beginning of April.
Microsoft stated that human-operated PonyFinal ransomware is mainly targeting the healthcare sector amid the COVID-19 crisis https://t.co/Hq12ufSVDw — Cointelegraph (@Cointelegraph) May 28, 2020
The report highlighted that authorship cannot be attributed to a single group of attackers, as several hacker groups are using this same form of ransomware.
Brett Callow, the threat analyst at Emsisoft, said:
“Human-operated ransomware such as PonyFinal is not unusual and nor is its delivery method which, according to Microsoft, is ‘thru brute force attacks against a target company’s systems management server.’ Attacks on internet-facing servers are not at all unusual and account for a significant percentage of ransomware incidents. But they’re also mostly preventable as such attacks typically only succeed because of a security weakness or vulnerability.”
Callow added that companies can significantly reduce the likelihood of being successfully attacked by adhering to best practices by using multi-factor authentication, patching promptly, and disabling PowerShell when possible.
Thus, ransomware attacks continue to be carried out in different parts of the world in the midst of the COVID-19 crisis, with many targeting healthcare companies.
Source: Cointelegraph | Image: PCMag
Comments