A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector

Published at: May 28, 2020

Microsoft's security team revealed a new ransomware that is deployed in human-operated attacks. It uses "brute force" against a target company's systems management server, and mainly has targeted the healthcare sector amid the COVID-19 crisis.

According to a series of tweets published by the tech giant on May 27, the human-operated ransomware attack, named "PonyFinal", requires hackers to break the security scheme of corporate networks in order to deploy the ransomware manually.

That means PonyFinal doesn't rely on tricking the users into launching the payload through phishing links or emails.

A Java-based ransomware attack

The Java-based Pony Final deploys a Java Runtime Environment, or JRE. Evidence found by Microsoft shows that attackers use information stolen from the systems management server to target endpoints where JRE is already installed.

The report further states that the ransomware is delivered via an MSI file that contains two batch files, including the payload that will be activated by the attacker.

Phillip Misner, research director of Microsoft Threat Protection, clarifies that there are other human-operated ransomware campaigns such as Bitpaymer, Ryuk, Revil, and Samas. PonyFinal was first detected at the beginning of April.

More than one group of attackers are using PonyFinal

The report highlights that authorship cannot be attributed to a single group of attackers, as several hacker groups are using this same form of ransomware.

Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, provided the following feedback on PonyFinal:

"Human-operated ransomware such as PonyFinal is not unusual and nor is its delivery method which, according to Microsoft, is 'thru brute force attacks against a target company's systems management server.' Attacks on internet-facing servers are not at all unusual and account for a significant percentage of ransomware incidents. But they're also mostly preventable as such attacks typically only succeed because of a security weakness or vulnerability."

Callow adds that companies can significantly reduce the likelihood of being successfully attacked by adhering to best practices: using multi-factor authentication, patching promptly, and disabling PowerShell when possible.

Latest ransomware attacks in the midst of the coronavirus pandemic

Ransomware attacks continue to be carried out in different parts of the world in the midst of the COVID-19 crisis, with many targeting healthcare companies.

Cointelegraph reported on March 30 that operators of Ryuk ransomware continue to target hospitals.

On May 7, hackers reportedly infected the IT infrastructure of the largest private hospital in Europe, Germany-based Fresenius, with a ransomware known as Snake.

Tags
Related Posts
Researchers Say Ransomware Attacks on the Rise as More People Work From Home
A study published by cybersecurity firm, Proofpoint, shows an increase in email-based phishing attacks used to deliver ransomware over the last few months. According to the report, first-stage deployments of ransomware are reportedly on the rise and have mostly been targeting the United States, France, Germany, Greece, and Italy. The attacks appear to be capitalizing on the influx of people now working from home amid the COVID-19 pandemic. Research additionally indicates that the ransom demands are very low compared to the amounts usually seen in these attacks. Lower than average ransoms A ransomware application called “Mr. Robot” has mostly targeted …
Technology / June 29, 2020
Celebrities May Have Their Dirty Secrets Exposed if Crypto Ransom Is Unpaid
The REvil ransomware gang says that they will auction over 1TB of data stolen from New York-based entertainment law firm, Grubman Shire Meiselas & Sacks. This data allegedly contains the “dirty” secrets of a number of celebrities. REvil claims that the contents involve sex scandals, drugs, and treachery. Nicki Minaj, LeBron James, and Mariah Carey among the alleged victims In a blog post, the ransomware group says they will begin the auction on July 1, noting that the first round will contain information from Nicki Minaj, Mariah Carey, and LeBron James. The price for each dataset is $600,000. Two days …
Technology / June 24, 2020
Report: Ransom Costs for Stolen Data Rose 200% From 2018 to 2019
On average, the ransom demanded by cryptocurrency ransomware hackers increased by 200% from 2018 to 2019. According to a report published on June 5 by cybersecurity firm Crypsis Group, the average ransom demanded by cryptocurrency ransomware groups in 2019 reached $115,123. The median ransom, on the other hand, increased by 300% from 2018’s first quarter to the last quarter to 2019, reaching over $21,700. According to Crypsis Group, ransoms have grown as hackers increasingly target enterprises and select victims who are able to pay higher sums. Just yesterday, Cointelegraph reported that ST Engineering Aerospace’s United States subsidiary fell victim to …
Technology / June 8, 2020
Garmin Could Face Sanctions if $10M Ransom is Paid
Garmin, a multinational tech company, has been operating at less than full capacity following a ransomware attack launched by the Russian cybergang, Evil Corp. Garmin is being extorted for a $10 million ransom, to be paid in cryptocurrency. According to a report published by Bleeping Computer, an unidentified Garmin employee confirmed that the WastedLocker ransomware took down the company’s customer support services, navigation solutions, and other aspects of the U.S.-based firm. The leader of the cybercriminal group is a Russian individual named Maksim Yakubets. A known criminal, Yakubets was indicted by the U.S. Department of Justice in 2019. He was …
Technology / July 27, 2020
Major Argentine Telecom Falls Victim to $7.5M Monero Ransomware Attack
Telecom, Argentina's largest telecommunications company, has fallen victim to a ransomware attack. Hackers are demanding $7.5 million in Monero (XMR) — an amount that will rise to $15 million if the company does not pay within 48 hours. Argentina's major telephone company, Telecom, just got hacked. Hackers requesting a ransom of $7.5 million in Monero. $XMR pic.twitter.com/AGNvAXh1cg — Alex Krüger (@krugermacro) July 19, 2020 According to El Tribuno, the ransomware attack, which specifically affected Telecom’s call center, took place on July 18. The ransomware was ultimately contained by the Argentinian conglomerate’s IT workers. In a statement issued to local media …
Technology / July 20, 2020