Microsoft Warns Of PonyFinal Ransomware With Infections Detected Across Iran, India And US

Microsoft’s security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months. Infections have been reported in India, Iran and the United States. The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords. Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging”. Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware. PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,” Microsoft said in a series of tweets published.

James McQuiggan, Security Awareness Advocate,  KnowBe4
May 29, 2020
It's essential to monitor networks and systems of new software deployments, scheduled tasks.
We usually discover that the attack vector for ransomware was through a user's endpoint and email clicks. With this type of attack, it all starts with the attackers using brute force to gain access to a system within the organization's network. Organizations want to establish robust procedures for administrative access to their critical systems with multi-factor authentication or a more robust p ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article