Microsoft told organizations Wednesday to focus less on the payload of Java-based ransomware PonyFinal and instead key “more on how it’s delivered” via human-operated ransomware attacks.
“PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload,” Microsoft Security Intelligence warned in a series of tweets, urging companies to “learn how to build organizational security hygiene” to prevent the attacks.
Attackers have been observed gaining access using brute force attacks against systems management server, deploying VBScript then running a PowerShell reverse shell for data dumps. A remote manipulator system lets them bypass event logging.
“We usually discover that the attack vector for ransomware was through a user's endpoint and email clicks,” said James McQuiggan, security awareness advocate for KnowBe4.“With this type of attack, it all starts with the attackers using brute force to gain access to a system within the organization's network.”
While the hackers deploy Java Runtime Environment, needed for the ransomware to run, “evidence suggests” they “use information stolen from the systems management server to target endpoints” that already have JRE installed, the tech giant said.
PonyFinal is delivered via an MSI file containing two batch files – one that creates a Java Updater file and another that runs the PonyFinalJAR 9payload – as well as the payload itself.
“Organizations want to establish robust procedures for administrative access to their critical systems with multi-factor authentication or a more robust password of 30 characters or more to reduce the risk of a brute force attack,” said McQuiggan. “It's essential to monitor networks and systems of new software deployments, scheduled tasks, and loaded scripts to avoid possible exploitation, which provides the criminal groups an easy way into the network.”