Microsoft today shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization's environment.
Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims. Other known human-operated ransomware campaigns include Bitpaymer, Ryuk, REvil, and Samas. Microsoft started to see PonyFinal at the beginning of April, says Phillip Misner, research director with Microsoft Threat Protection.
"These are all variations of the same sort of serious threat that customers are facing right now," he explains. Attackers employ credential theft and lateral movement to learn more about the business. "Ultimately, after they've gone through and understood the environment, they'll deploy ransomware of the attackers' choice that matches up most closely with the environment that they have observed over time."
PonyFinal attacks usually start in one of two ways. Attackers have been seen gaining access through brute-force attacks against a target's systems management server, Microsoft Security Intelligence wrote in a series of tweets. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services.
In some cases, attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run. However, experts say, evidence indicates the attackers use data stolen from the systems management server to target endpoints that have JRE installed. These types of attackers are careful in their operations, Misner says, and they try to avoid detection where possible. If JRE is already on a machine, they can operate without raising any alerts.
"Often the folks that are seeing the PonyFinal ransomware, they already had Java in their environments, and so attackers are using that to remain as stealth as possible," he explains.
The ransomware is delivered via an MSI file that contains two batch files and the ransomware payload. Microsoft's investigations show PonyFinal encrypts files at a specific date and time. Encrypted files have an .enc file extension and the ransom note is a simple text file, they say.
PonyFinal is deployed at the tail end of protracted human-operated campaigns, in which the attackers typically lay dormant and wait for the most opportune time to strike. In the April PonyFinal campaigns, the period between initial compromise and ransom ranged from multiple months to the span of a week, Misner notes.
The operators behind PonyFinal are not new, he continues. This just happens to be the newest payload that researchers have seen in these kinds of ransomware campaigns. Human-operated ransomware is often tied to multiple criminal groups and is rarely exclusive to a single group of attackers. There may be several attack groups using this same form of ransomware, Misner adds.
That said, this is likely the work of an advanced group. "Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization," Misner says. These are attackers with the ability to choose multiple payloads and who spend their time doing researcher to see how they can extract the most money from the compromises they do.
These ransomware operators don't discriminate when deciding who to hit. "These attackers are looking for targets of opportunity," he explains. While there is no COVID-19 lure in these campaigns, researchers have noticed PonyFinal operators going where they might be most effective in extracting ransom amid the chaos of the coronavirus pandemic.
A Threat to Watch
Human-operated ransomware isn't like your typical automated malware, in which the attacker tries to get someone to click an executable. These campaigns use active means to find their initial entry vector, whether that's around remote desktop connections or insecure Internet-facing services. This human component demands potential victims take immediate action.
"There is a human on the other side of that … going through and directing what ransomware actually gets deployed onto the network," Misner explains. "The immediacy of having an adversary that is basically one-on-one attacking a customer is what should drive the concern and the risk here." He believes we're going to see an uptick in these types of attacks.
To defend against human-operated ransomware, Microsoft advises hardening Internet-facing assets and ensuring they have the latest security updates. Threat and vulnerability management should be used to audit assets for vulnerabilities and misconfigurations. Experts recommend adopting the principle of least privilege and avoiding the use of domainwide, admin-level service accounts.
Businesses should monitor for brute-force attempts and check for excessive failed authentication attempts. They should also watch for the clearing of Event Logs, especially the Security Event Log and PowerShell Operational logs.