Microsoft has issued warnings about PonyFinal, a Java based ransomware that has been used by threat actors extensively during the last two months. This type of ransomware is what some are calling “human-operated,” similar to Ryuk, Sodinokibi, and Bitpaymer. Instead of automatically encrypting files on one computer as soon as the malware runs, attackers use remote access tools to manually explore the network and expand their access to as many critical servers as possible before encrypting files across all servers at once and causing the maximum amount of damage. Once its processes are finished it will drop the ransom note titled “README_files.txt” which includes payment instructions. PonyFinal is one of the ransomware varieties believed to be connected to some of the attacks on hospitals during the peak of the COVID-19 pandemic.
Microsoft has suggested that organizations protect themselves by making sure any web-facing tools such as VPNs have received the most recent updates. It is also advised to carry out audits and penetration tests to reveal any specific vulnerabilities in a network. Brute force activity is what organizations will need to scan for when looking to discover PonyFinal. It is important to make sure secure backups are created often and protected from destruction by attackers, because this can save a lot of data in the case that it is compromised. The best defense is to constantly monitor systems for signs of intrusion and respond quickly, while the attackers are still in the exploratory phase, to stop the attack before critical servers are affected. A Security Operations Center (SOC), whether staffed with internal employees or operated by a managed security services provider, should be on duty 24 hours a day to respond to attacks.