Microsoft warns of the dangers of new attacks with PonyFinal ransomware

, - PonyFinal, -. PonyFinal, Java , .  .

The PonyFinal ransomware is particularly effective due to the fact that the hackers behind the attacks preliminarily study the activity of the future victim and create a plan that will best maximize their benefits from a successful attack. That is, attackers hack into corporate networks and manually place their software there, rather than automating the process of distributing an encryptor, as is often the case.

In a series of tweets , Microsoft security guards emphasized that it’s more important for organizations to pay attention to how the attack is carried out, and not just to study only malicious code.

And that definitely makes sense. When covering cyber attacks, the media for ransomware attacks focuses on companies blocking their encrypted data, and on the dilemma of whether they should pay the ransom or not.



IT security departments are advised to pay more attention to how the attack begins and what methods are used by the hacker group to deliver the encryption code to the company's computer systems. Another scenario is possible, when the security personnel themselves provoke an attack on the first level of protection, studying the algorithm of the attackers and eliminating bottlenecks in the protection system, if any, based on the data received. With this approach, a company will never have to face a nightmare scenario to restore its encrypted data.

As Microsoft IT security staff found out, in most cases, the invasion point is the account on the system management server. PonyFinal operators invade there using brute force, finding accounts with weak passwords. After gaining access to the server, the attacker activates the Visual Basic script, which runs software to collect and steal data.

PonyFinal attacks go something like this.

 

Also, an attack may use credentials for RDP, vulnerabilities in Internet systems, and incorrect application settings. In some cases, attackers covertly deployed the Java Runtime Environment (JRE) that PonyFinal needed. But there have been cases when hackers used the already installed JRE on the victim's computer to launch the ransomware.

Encrypted PonyFinal files have the extension .enc. Moreover, the encryption scheme has high reliability - while there are no ways and free tools for decrypting the affected data. Therefore, Cloud4Y warns: do not become the next victim. Take action within your company to reduce the likelihood of a successful attack by a new ransomware.

What else can you read on the Cloud4Y blog

→ What is the geometry of the universe?
→ Easter eggs on topographic maps of Switzerland
→ A simplified and very short history of the development of “clouds”
→ How the bank “broke”
→ Do you need clouds in space

Subscribe to our Telegram-channel, so as not to miss another article. We write no more than twice a week and only on business.