Between the Q3 and Q4 last year, the average ransom demanded in a ransomware attack increased 104%, reaching $84,116. However, some variants of ransomware demand even more, especially if the malware targets large companies, as is the case with Ryuk. Given that this ransomware targets corporate environments, focusing on the Enterprise segment, it demands an average ransom of over $1.3 million.

However, high costs are not the only danger related to an attack of this kind; a new, increasingly prevalent trend among ransomware operators is to combine their attacks with a data breach. This way, cybercriminals have stolen data that they can try to monetize if the victim does not pay the ransom, which also serves to blackmail the victim. A short while ago, Microsoft warned of a new ransomware strain that combines these two tactics.

PontFinal: A new manually operated ransomware

Towards the end of May this year, the tech giant published a series of Tweets in which it warned of a new strain of Java-based ransomware called PonyFinal, which also steals its victims data. As Microsoft explains, this new ransomware is manually operated by cybercriminals, unlike commoditized variants, which are distributed automatically.

How PonyFinal works

To gain entry to its victim’s system, the PonyFinal operators carry out a brute force attack on against Microsoft Systems Management Server (SMS). The next step is to deploy a VBScripit to run a PowerShell reverse shell, which enables the attackers to exfiltrate data to a C&C server. In this phase of the attack, the attackers also launch a remote manipulator system to bypass event logging.

In certain cases, the attackers launch Java Runtime Environment (JRE), which PonyFinal needs to run, since it is based in Java. However, there is evidence to suggest that the attackers use information stolen from SMS to be able to target endpoints where JRE is already installed. This means that companies that already have JRE installed may be blind to this attack.

PonyFinal is delivered through an MSI file, which contains two batch files and the ransomware payload. UVNC_Install.bat creates a scheduled task called “Java Updater”, and calls RunTask.bat, which executes the payload, PonyFinal.JAR.

The operators wait for the perfect moment…

Microsoft explained that the PonyFinal operators wait for a specific time and date to encrypt their victim’s files. Like other similar manually operated ransomware, the PonyFonal operators bide their time, waiting for the most opportune moment to deploy the payload. In the case of the recent attacks on hospitals, this moment was at the start of April, at the peak of the COVID-19 pandemic.

The solution: Patches and monitoring

To stop PonyFinal getting onto corporate systems, Microsoft has recommended that organizations reduce the attack surface by ensuring that all Internet-facing assets are updated with the relevant patches. This is particularly important for VPNs and other remote access tools, which have been used more than ever during the pandemic. It is also vital to carry out frequent audits for misconfigurations and vulnerabilities.

Many organizations often have trouble prioritizing and applying relevant patches. This is why Panda Security has a solution to streamline the process of discovering, planning, and installing patches, with Panda Patch Management. This solution provides real time visibility of pending patches and updates, as well as unsupported and EoL software. This way, you can be sure to always have the patches you need to ensure your company is safe.

Microsoft also recommends scanning for brute force activity. Panda Adaptive Defense constantly monitors all activity on the IT system. It stops any suspicious activity, even the most advanced cyberthreats, before they can cause any damage.

PonyFinal, Ryuk, and Netwalker are some of the new ransomware variants that are causing problems on IT systems in 2020. Protect your organization against these and any other cyberthreats with the cybersecurity suite Adaptive Defense 360.