Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2020
12:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Shares PonyFinal Threat Data, Warns of Delivery Tactics

PonyFinal is deployed in human-operated ransomware attacks, in which adversaries tailor their techniques based on knowledge of a target system.

Microsoft today shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization's environment.

Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims. Other known human-operated ransomware campaigns include Bitpaymer, Ryuk, REvil, and Samas. Microsoft started to see PonyFinal at the beginning of April, says Phillip Misner, research director with Microsoft Threat Protection. 

"These are all variations of the same sort of serious threat that customers are facing right now," he explains. Attackers employ credential theft and lateral movement to learn more about the business. "Ultimately, after they've gone through and understood the environment, they'll deploy ransomware of the attackers' choice that matches up most closely with the environment that they have observed over time."

PonyFinal attacks usually start in one of two ways. Attackers have been seen gaining access through brute-force attacks against a target's systems management server, Microsoft Security Intelligence wrote in a series of tweets. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services.

In some cases, attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run. However, experts say, evidence indicates the attackers use data stolen from the systems management server to target endpoints that have JRE installed. These types of attackers are careful in their operations, Misner says, and they try to avoid detection where possible. If JRE is already on a machine, they can operate without raising any alerts.

"Often the folks that are seeing the PonyFinal ransomware, they already had Java in their environments, and so attackers are using that to remain as stealth as possible," he explains. 

The ransomware is delivered via an MSI file that contains two batch files and the ransomware payload. Microsoft's investigations show PonyFinal encrypts files at a specific date and time. Encrypted files have an .enc file extension and the ransom note is a simple text file, they say.

PonyFinal is deployed at the tail end of protracted human-operated campaigns, in which the attackers typically lay dormant and wait for the most opportune time to strike. In the April PonyFinal campaigns, the period between initial compromise and ransom ranged from multiple months to the span of a week, Misner notes.   

The operators behind PonyFinal are not new, he continues. This just happens to be the newest payload that researchers have seen in these kinds of ransomware campaigns. Human-operated ransomware is often tied to multiple criminal groups and is rarely exclusive to a single group of attackers. There may be several attack groups using this same form of ransomware, Misner adds. 

That said, this is likely the work of an advanced group. "Like all of these human-operated ransomware campaigns, this is a cut above your normal criminal organization," Misner says. These are attackers with the ability to choose multiple payloads and who spend their time doing researcher to see how they can extract the most money from the compromises they do.

These ransomware operators don't discriminate when deciding who to hit. "These attackers are looking for targets of opportunity," he explains. While there is no COVID-19 lure in these campaigns, researchers have noticed PonyFinal operators going where they might be most effective in extracting ransom amid the chaos of the coronavirus pandemic. 

A Threat to Watch
Human-operated ransomware isn't like your typical automated malware, in which the attacker tries to get someone to click an executable. These campaigns use active means to find their initial entry vector, whether that's around remote desktop connections or insecure Internet-facing services. This human component demands potential victims take immediate action. 

"There is a human on the other side of that … going through and directing what ransomware actually gets deployed onto the network," Misner explains. "The immediacy of having an adversary that is basically one-on-one attacking a customer is what should drive the concern and the risk here." He believes we're going to see an uptick in these types of attacks.

To defend against human-operated ransomware, Microsoft advises hardening Internet-facing assets and ensuring they have the latest security updates. Threat and vulnerability management should be used to audit assets for vulnerabilities and misconfigurations. Experts recommend adopting the principle of least privilege and avoiding the use of domainwide, admin-level service accounts.

Businesses should monitor for brute-force attempts and check for excessive failed authentication attempts. They should also watch for the clearing of Event Logs, especially the Security Event Log and PowerShell Operational logs.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...