PonyFinal Ransomware Compromised Corporate Networks in Targeted Operations

Summary

Over the past two months, a new ransomware variant, “PonyFinal”, has infected corporate networks in the US, India, and Iran. It is a Java-based, human-operated ransomware, in which threat actors breach corporate networks before deploying the ransomware. In previous incidents, the threat actors behind the ransomware brute-forced the password for an account on the company’s systems management server and then deployed a Visual Basic script (VBscript) that ran a PowerShell reverse shell to steal local data. The threat actors spread to other systems on the network and then launched the ransomware. The attackers have targeted workstations with Java Runtime Environment (JRE) installed or, if not found, installed JRE on workstations before running the ransomware. Encrypted files are appended with the .enc file extension and the ransom note provided is often named README_files.txt and provides instructions to pay the ransom demand. PonyFinal has repeatedly targeted the healthcare sector during the COVID-19 pandemic. There is no known decryption tool at the time of this writing.

Recommendations

The NJCCIC advises following the recommendations in the Ransomware: Risk Mitigation Strategies guide, which includes establishing a comprehensive data backup plan. More information can be found in the Microsoft Security Intelligence Twitter thread and the ZDnet article.