By 
Microsoft’s security department released a string of tweets cautioning organizations to deploy defenses against a new section of ransomware called PonyFinal that has existed over the last two months.
A Java-based ransomware that threat actors manually distribute, PonyFinal first emerged in the threat scene earlier this year and perpetrated highly targeted attacks against certain targets, mostly in India, Iran, and the US.
In ransomware attack situation operated by humans, intruders use stolen credentials, abuse misconfiguration and susceptibilities to access target networks, effort to hasten privileges and move crosswise, and distribute malware and exfiltrate data.
Most notorious human-operated ransomware movements include Sodinokibi, Samas, Bitpaymer, and Ryuk.
PonyFinal operators primarily attack organizations’ systems management server through physical force attacks, then they deploy a VBScript to run a PowerShell reverse shell to conduct data dumps. Cybercriminals also use a remote manipulator system to avoid event logging.
As soon as the PonyFinal attackers get access to the target’s network, they will move crosswise to affect other systems with the ransomware.
In the majority of cases, criminals attacked workstations running the Java Runtime Environment (JRE) since the PonyFinal is written in Java.
The PonyFinal ransomware typically adds the “.enc” extension to the names of the encrypted files, as it drops a ransom note (named README_files.txt) on the impacted systems. The ransom note comprises the payment directives.
Experts highlighted that the encryption scheme of the PonyFinal ransomware is safe and recovering encoded files at the moment is not possible.
Regrettably, PonyFinal is one of the many ransomwares operated by humans that were employed in attacks intended for the healthcare sector during the coronavirus outbreak.
