Microsoft Warns Of PonyFinal Ransomware With Infections Detected Across Iran, India And US

Microsoft’s security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months. Infections have been reported in India, Iran and the United States. The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords. Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging”. Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware. PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,” Microsoft said in a series of tweets published.

Experts Comments

May 29, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
We usually discover that the attack vector for ransomware was through a user's endpoint and email clicks. With this type of attack, it all starts with the attackers using brute force to gain access to a system within the organization's network. Organizations want to establish robust procedures for administrative access to their critical systems with multi-factor authentication or a more robust password of 30 characters or more to reduce the risk of a brute force attack. It's essential to.....Read More
We usually discover that the attack vector for ransomware was through a user's endpoint and email clicks. With this type of attack, it all starts with the attackers using brute force to gain access to a system within the organization's network. Organizations want to establish robust procedures for administrative access to their critical systems with multi-factor authentication or a more robust password of 30 characters or more to reduce the risk of a brute force attack. It's essential to monitor networks and systems of new software deployments, scheduled tasks, and loaded scripts to avoid possible exploitation, which provides the criminal groups an easy way into the network.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.