Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2020
12:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Shares PonyFinal Threat Data, Warns of Delivery Tactics

PonyFinal is deployed in human-operated ransomware attacks, in which adversaries tailor their techniques based on knowledge of a target system.

Microsoft today shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization's environment.

Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims. Other known human-operated ransomware campaigns include Bitpaymer, Ryuk, REvil, and Samas. Microsoft started to see PonyFinal at the beginning of April, says Phillip Misner, research director with Microsoft Threat Protection. 

"These are all variations of the same sort of serious threat that customers are facing right now," he explains. Attackers employ credential theft and lateral movement to learn more about the business. "Ultimately, after they've gone through and understood the environment, they'll deploy ransomware of the attackers' choice that matches up most closely with the environment that they have observed over time."

PonyFinal attacks usually start in one of two ways. Attackers have been seen gaining access through brute-force attacks against a target's systems management server, Microsoft Security Intelligence wrote in a series of tweets. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services.

In some cases, attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run. However, experts say, evidence indicates the attackers use data stolen from the systems management server to target endpoints that have JRE installed. These types of attackers are careful in their operations, Misner says, and they try to avoid detection where possible. If JRE is already on a machine, they can operate without raising any alerts.

"Often the folks that are seeing the PonyFinal ransomware, they already had Java in their environments, and so attackers are using that to remain as stealth as possible," he explains. 

The ransomware is delivered via an MSI file that contains two batch files and the ransomware payload. Microsoft's investigations show PonyFinal encrypts files at a specific date and time. Encrypted files have an .enc file extension and the ransom note is a simple text file, they say.

PonyFinal is deployed at the tail end of protracted human-operated campaigns, in which the attackers typically lay dormant and wait for the most opportune time to strike. In the April PonyFinal campaigns, the period between initial compromise and ransom ranged from multiple months to the span of a week, Misner notes.   

The operators behind PonyFinal are not new, he continues. This just happens to be the newest payload that researchers have seen in these kinds of ransomware campaigns. Human-operated ransomware is often tied to multiple criminal groups and is rarely exclusive to a single group of attackers. There may be several attack groups using this same form of ransomware, Misner adds. 

That said, this is likely the work of an advanced group. "Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization," Misner says. These are attackers with the ability to choose multiple payloads and who spend their time doing researcher to see how they can extract the most money from the compromises they do.

These ransomware operators don't discriminate when deciding who to hit. "These attackers are looking for targets of opportunity," he explains. While there is no COVID-19 lure in these campaigns, researchers have noticed PonyFinal operators going where they might be most effective in extracting ransom amid the chaos of the coronavirus pandemic. 

A Threat to Watch
Human-operated ransomware isn't like your typical automated malware, in which the attacker tries to get someone to click an executable. These campaigns use active means to find their initial entry vector, whether that's around remote desktop connections or insecure Internet-facing services. This human component demands potential victims take immediate action. 

"There is a human on the other side of that … going through and directing what ransomware actually gets deployed onto the network," Misner explains. "The immediacy of having an adversary that is basically one-on-one attacking a customer is what should drive the concern and the risk here." He believes we're going to see an uptick in these types of attacks.

To defend against human-operated ransomware, Microsoft advises hardening Internet-facing assets and ensuring they have the latest security updates. Threat and vulnerability management should be used to audit assets for vulnerabilities and misconfigurations. Experts recommend adopting the principle of least privilege and avoiding the use of domainwide, admin-level service accounts.

Businesses should monitor for brute-force attempts and check for excessive failed authentication attempts. They should also watch for the clearing of Event Logs, especially the Security Event Log and PowerShell Operational logs.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
CVE-2020-29284
PUBLISHED: 2020-12-02
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vul...