A series of tweets have been issued by the security team at Microsoft, warning companies to implement protections against a new ransomware that has been active for the past two months.
What is happening
PonyFinal - a Java-based ransomware - has suddenly galloped into the wilds and the reins are being held by none other than humans. This ransomware is manually propagated by the threat actors. The ransomware is delivered via an MSI file containing two batch files – one that creates a Java Updater file and another that runs the PonyFinalJAR 9payload – as well as the payload itself.
- This ransomware is involved in highly targeted attacks against targets in the U.S., India, and Iran.
- PonyFinal has been repeatedly targeting the healthcare sector during the COVID-19 pandemic.
There are other ransomware groups similar to PonyFinal in the fact that they are all human-operated and have been targeting the healthcare sector. Other similar threat actors include REvil, LockBit, RagnarLocker, Maze, and NetWalker.
According to experts, PonyFinal uses a secure encryption scheme and encrypted files cannot be recovered in any way. As per Microsoft, the ransomware attackers have compromised target networks for several months and have been biding their time for the perfect opportunity to monetize their attacks.
With the global pandemic expediting toward virtualization of almost every task, it has opened a breeding ground for threat actors. The ransomware attacks during a global crisis have affected every sector, including the healthcare and financial sectors, and it is an ongoing phenomenon. These threat actors have no regard for the disruption caused by them in the delivery of essential services.
These attacks are not only targeted toward essential services, but they are being conducted on an enterprise level. Organizations are suggested to stay vigilant and take immediate action to investigate and remediate ransomware attacks. We may not be able to predict when and how the next threat will hit us, but we can definitely integrate cybersecurity in our daily operations.