PonyFinal is a Java based ransomware that is deployed in human operated ransomware attacks. While Java based ransomware are not unheard of, they are not as common as other threat file types. However, organizations should focus less on this payload and more on how it's delivered. Attackers using PonyFinal gain access through brute-force attacks on the systems management server of the target company. They deploy VBScript to run PowerShell back shell, deploy a remote manipulator system to bypass event logging, and in some cases, implement the Java Runtime Environment.
PonyFinal is delivered through an MSI file that contains two batch files and a ransomware payload. UVNC_Install.bat creates a scheduled task called "Java Updater" and calls RunTask.bat, which launches the PonyFinal.JAR payload. This is the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload. PonyFinal demanded 300 BTC as ransom amount to this address 3JKX3VWDPW7gvVaXFVv3UazY29pE2LGV7b. It appends .enc to its encrypted files.