Microsoft notified its users that removing from accounts permissions security identifiers (SID) those with complicated…
“Typically, the invasion point is the account on the system management server, where PonyFinal operators invade with the help of brute force attacks and the selection of weak passwords. On the server, the hackers deploy a Visual Basic script that runs the PowerShell reverse shell to collect and steal data”, — say Microsoft researchers.
Having invaded the network of the target company, the attackers spread the infection to other local systems, and then they introduce the PonyFinal ransomware itself. In most cases, hackers attack workstations on which the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java.
However, Microsoft experts note that they also recorded cases where the group independently installed JRE in the victims’ systems before launching the ransomware.
Files encrypted using PonyFinal usually have the extension .enc. The PonyFinal encryption scheme is considered reliable, as currently there are no ways and available tools to decrypt the affected data.
Emsisoft specialist Michael Gillespie notes that users, which uploaded malware samples to ID-Ransomware for identification were from India, Iran, and the United States.
According to Microsoft, PonyFinal is on the short list of ransomware managed by live operators. Recently, such malware has been repeatedly used against organizations from the health sector, despite the current pandemic of the coronavirus, as was did, for example, Maze ransomware.
In addition to PonyFinal, this list includes: RobbinHood, NetWalker, Maze, REvil (Sodinokibi), Paradise, MedusaLocker and LockBit.
And live operators also rule RagnarLocker, which uses virtual machines to hide its activities.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…