Most ransomware threats encrypt their target's data and ask them to pay a ransom fee in exchange for a decryption tool. However, cybercriminals have developed a new scheme that is mainly used against businesses and organizations, rather than regular users. The authors of the newly detected PonyFinal Ransomware are among the cyber crooks that utilize the aforementioned technique. The victims of the PonyFinal Ransomware not only are asked to pay a ransom fee to recover their data, but they also are threatened that unless the payment is processed successfully, their files will be leaked online. Naturally, no organization or company would want its confidential data and conversations leaked online, as this will likely cause great damage.
The PonyFinal Ransomware is written JAVA. According to cybersecurity researchers, the attacks may not be fully automated. Instead, it is likely that part of the operation may be carried out manually. This approach leads experts to believe that the attackers are not using the classic infection vectors utilized by most authors of ransomware – phishing emails, malvertising, fake application updates, etc.
It would appear that the creators of the PonyFinal Ransomware are brute-forcing servers and services, which are not secured properly. After infiltrating a targeted host, the attackers will likely utilize a PowerShell script list that enables them to detect and exfiltrate certain files that may be considered important based on filenames and filetypes. The collected files will be transferred to the C&C (Command & Control) server of the attackers. Next, the attackers will execute the PonyFinal Ransomware manually on the compromised system.
The PonyFinal Ransomware is designed to target and encrypt a wide variety of filetypes. The newly encrypted files will have their names changed as the PonyFinal Ransomware adds a '.enc' extension to them. For example, a file named 'blue-skies.jpg' initially will be renamed to 'blue-skies.jpg.enc.' Next, the PonyFinal Ransomware drops a ransom note that lists its demands and instructions. The attackers ask to be paid 300 Bitcoin ($3 million nearly) in exchange for a decryption tool and the attackers' promise not to leak the classified data. So far, unsurprisingly, no victims appear to have paid the demanded ransom fee. There is no data pointing to the attackers leaking any important files, either. Most of the targets of the PonyFinal Ransomware seem to be located in the United States, India and Iran.
The PonyFinal Ransomware operations are still limited fairly, with only a few companies being breached by the attackers successfully. So far, there is no freely available decryption tool that would help the victims recover their data.