Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2020
12:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Shares PonyFinal Threat Data, Warns of Delivery Tactics

PonyFinal is deployed in human-operated ransomware attacks, in which adversaries tailor their techniques based on knowledge of a target system.

Microsoft today shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization's environment.

Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims. Other known human-operated ransomware campaigns include Bitpaymer, Ryuk, REvil, and Samas. Microsoft started to see PonyFinal at the beginning of April, says Phillip Misner, research director with Microsoft Threat Protection. 

"These are all variations of the same sort of serious threat that customers are facing right now," he explains. Attackers employ credential theft and lateral movement to learn more about the business. "Ultimately, after they've gone through and understood the environment, they'll deploy ransomware of the attackers' choice that matches up most closely with the environment that they have observed over time."

PonyFinal attacks usually start in one of two ways. Attackers have been seen gaining access through brute-force attacks against a target's systems management server, Microsoft Security Intelligence wrote in a series of tweets. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services.

In some cases, attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run. However, experts say, evidence indicates the attackers use data stolen from the systems management server to target endpoints that have JRE installed. These types of attackers are careful in their operations, Misner says, and they try to avoid detection where possible. If JRE is already on a machine, they can operate without raising any alerts.

"Often the folks that are seeing the PonyFinal ransomware, they already had Java in their environments, and so attackers are using that to remain as stealth as possible," he explains. 

The ransomware is delivered via an MSI file that contains two batch files and the ransomware payload. Microsoft's investigations show PonyFinal encrypts files at a specific date and time. Encrypted files have an .enc file extension and the ransom note is a simple text file, they say.

PonyFinal is deployed at the tail end of protracted human-operated campaigns, in which the attackers typically lay dormant and wait for the most opportune time to strike. In the April PonyFinal campaigns, the period between initial compromise and ransom ranged from multiple months to the span of a week, Misner notes.   

The operators behind PonyFinal are not new, he continues. This just happens to be the newest payload that researchers have seen in these kinds of ransomware campaigns. Human-operated ransomware is often tied to multiple criminal groups and is rarely exclusive to a single group of attackers. There may be several attack groups using this same form of ransomware, Misner adds. 

That said, this is likely the work of an advanced group. "Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization," Misner says. These are attackers with the ability to choose multiple payloads and who spend their time doing researcher to see how they can extract the most money from the compromises they do.

These ransomware operators don't discriminate when deciding who to hit. "These attackers are looking for targets of opportunity," he explains. While there is no COVID-19 lure in these campaigns, researchers have noticed PonyFinal operators going where they might be most effective in extracting ransom amid the chaos of the coronavirus pandemic. 

A Threat to Watch
Human-operated ransomware isn't like your typical automated malware, in which the attacker tries to get someone to click an executable. These campaigns use active means to find their initial entry vector, whether that's around remote desktop connections or insecure Internet-facing services. This human component demands potential victims take immediate action. 

"There is a human on the other side of that … going through and directing what ransomware actually gets deployed onto the network," Misner explains. "The immediacy of having an adversary that is basically one-on-one attacking a customer is what should drive the concern and the risk here." He believes we're going to see an uptick in these types of attacks.

To defend against human-operated ransomware, Microsoft advises hardening Internet-facing assets and ensuring they have the latest security updates. Threat and vulnerability management should be used to audit assets for vulnerabilities and misconfigurations. Experts recommend adopting the principle of least privilege and avoiding the use of domainwide, admin-level service accounts.

Businesses should monitor for brute-force attempts and check for excessive failed authentication attempts. They should also watch for the clearing of Event Logs, especially the Security Event Log and PowerShell Operational logs.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.