PonyFinal presents new ransomware threat

Johannesburg, 08 Jun 2020
Zaheer Ebrahim
Zaheer Ebrahim

Even though ransomware attacks are a constant risk in the digital landscape, a new type of malicious software based on the Java programming language has been discovered in the wild. Dubbed PonyFinal, it sees hackers gain access to a company’s system via a brute force attack. Once inside, they deliver the ransomware payload.

“Essentially, the malware deploys a script to perform data dumps. Perhaps more concerning is the fact that the malware ‘waits’ for the ideal time to make the most financial gain before it executes, remaining undetected on the infected system until it is too late. Subsequently, as per any other ransomware, the company files are then encrypted, and a ransom note is left,” says Zaheer Ebrahim, Senior Sales Engineer South Africa at Trend Micro Sub-Saharan Africa.

Beyond the way the attack is propagated, PonyFinal is unique from other ransomware in that it is activated by human operators and not automated. This is reflected in how it can hibernate until such time as the attacker decides it can cause the most financial damage to the target organisation.

As such, the damage potential of PonyFinal is high and local organisations must, therefore, take the risk of this ransomware seriously. To this end, a business must ensure  its cyber security solutions are always up to date with the latest definitions and patches.

“Given how more people are working remotely than ever, companies should continually focus on employee education and highlighting what constitutes good cyber security practice. But, in addition to telling people not to click on suspicious links or downloading files from unconfirmed sources, management must make sure the security and system software of their remote workers are updated to provide the best level of protection. The same applies to their personal routers and devices,” adds Ebrahim.

Users should also consider scanning their computers to delete files detected as ‘Ransom.Java.PONYFINAL.B’. If the detected files have already been cleaned, deleted or quarantined by the Trend Micro cyber security solution, no further steps are required. People might simply opt to remove the quarantined files.

The first detection of PonyFinal goes back to April this year, with most of the current campaigns targeting companies in India, Iran and the United States. However, no organisation, irrespective of its geographic location or size, should consider itself safe from attacks.

“When it comes to ransomware, it really is only a matter of when rather than if a company will be targeted. Companies must therefore continually assess their cyber security policies and solutions, especially as the new normal will require people to access mission-critical data remotely,” concludes Ebrahim.

To read how to enable the ransomware protection feature in TrendMicro Apex One and OfficeScan, please follow this link. And for more technical information on the PonyFinal malware, you can visit this link.


Editorial contacts

Charlize van Schalkwyk