Microsoft’s security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months. Infections have been reported in India, Iran and the United States. The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords. Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging”. Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware. PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,” Microsoft said in a series of tweets published.
We usually discover that the attack vector for ransomware was through a user\’s endpoint and email clicks. With this type of attack, it all starts with the attackers using brute force to gain access to a system within the organization\’s network.
Organizations want to establish robust procedures for administrative access to their critical systems with multi-factor authentication or a more robust password of 30 characters or more to reduce the risk of a brute force attack.
It\’s essential to monitor networks and systems of new software deployments, scheduled tasks, and loaded scripts to avoid possible exploitation, which provides the criminal groups an easy way into the network.