Malware analysis

PonyFinal malware: What it is, how it works and how to prevent it | Malware spotlight

Daniel Dimov
July 16, 2020 by
Daniel Dimov

Introduction to PonyFinal

PonyFinal ransomware appeared for the first time in 2020. It is malware that relies on human-operated attacks, i.e., attacks that exploit information security vulnerabilities of the targeted systems. Such vulnerabilities may include network weaknesses like bottlenecks and network disruptions. 

During the COVID-19 pandemic, the number of cyberattacks using human-operated ransomware increased significantly. Other types of human-operated ransomware include Maze, REvil (Sodinokibi), RobbinHood and NetWalker. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Human-operated ransomware typically affects fewer computers than malware that propagates through phishing. This is because the former type of malware requires well-planned targeted attacks, while the latter type spreads automatically.

The purpose of this article is to examine the operation of PonyFinal and provide recommendations on how to avoid an infection with it. At the end of the article, we provide concluding remarks.

The operation of PonyFinal

PonyFinal is usually installed by conducting brute-force attacks that allow fraudsters to gain unauthorized access to an account on the targeted computer. We can define a brute-force attack as an attack that consists of submitting a large number of passwords with the aim of guessing the correct password.

Once the fraudsters compromise the targeted computer, they deploy:

  1. A Visual Basic script running a PowerShell reverse shell that has the capacity to steal local data
  2. A system that bypasses event logging

Next, the crooks gain unauthorized access to other computers within the compromised network. Afterwards, they proceed with the actual installation of PonyFinal.

PonyFinal is usually installed on workstations using the Java Runtime Environment (JRE). This is because the malware is written in Java. However, Microsoft observed cases where the JRE was installed by fraudsters in order to serve as a foundation for running the malware.

The malware starts encrypting the files of the infected computer shortly after it is executed. It adds an additional “.enc” extension to each encrypted file. The user of the infected computer is presented with a ransom note named README_files.txt. It is full of language mistakes and includes instructions on how to pay the requested ransom. An excerpt from the ransom note follows.

“To decrypted files, you need to obtain private key.

“The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet;

“The server will destroy the key within 72 hours after encryption completed.

“Pay us 300 BTC, and we will decode up to 3 sample files you send us via email for verification to prove we deliver master key.”

PonyFinal uses a strong encryption mechanism. As of this writing, there is no way to decrypt the files without paying the requested ransom.

Avoiding an infection with PonyFinal

PonyFinal can be avoided by taking measures against the brute-force attacks that are at the core of the malware propagation model. Such measures need to include an account lockout policy, challenge-response tests and strong password policies. Let’s take a look.

An account lockout policy

Since brute-force attacks require a large number of password entry attempts in order to guess the correct password, organizations will benefit from adopting policies allowing up to three password entries. Once the three attempts are exhausted, further attempts can be made only after the administrator reactivates the account. 

A major disadvantage of this method is that it allows fraudsters to permanently block the access to user accounts by submitting multiple password entries.

An account lockout policy may also be based on progressive delays, i.e., after each failed attempt, user accounts are locked out for a set period of time. This time is increased with each failed password entry.

Challenge-response tests

Another way to prevent brute-force attacks include the use of challenge-response tests, such as CAPTCHA. The abbreviation CAPTCHA refers to “completely automated public Turing test to tell computers and humans apart.” CAPTCHAs usually require the evaluation and the entry of a sequence of letters and numbers that appear in a distorted image. 

Although the use of CAPTCHAs is an effective technique, its main drawback is that it reduces the accessibility and usability of the computers on which it is installed.

It should be noted that CAPTCHAs can also be compromised. Greg Mori and Jitendra Malik published a paper entitled “Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA,” which includes a detailed method for circumventing one of the most popular CAPTCHAs (EZ-Gimpy). The effectiveness of the method is 92%.

Strong passwords policies

Brute-force attacks are usually ineffective against lengthy and complex passwords consisting of 15 and more characters including uppercase and lowercase letters, numbers and symbols. Therefore, organizations willing to avoid being infected with PonyFinal are advised to create and enforce password policies and require their staff to adhere to them. 

The policies also need to include a list of prohibited passwords, such as passwords containing personal names, dates of births, dictionary words, previous passwords or a common keyboard pattern (e.g., qwerty or 12345678).

Concluding remarks regarding PonyFinal

PonyFinal is an emerging threat that should not be underestimated. This relatively new malware is installed on the targeted computers by using well-planned manual operations. 

PonyFinal has the capacity to encrypt most files stored on the compromised networks and this, in turn, may lead to paralysis of entire networks. Once the files are encrypted, paying the ransom remains the only solution to recover the files. It is not a coincidence that many large organizations, even police departments, paid millions to operators of various types of ransomware. 

Prevention remains the only effective method against PonyFinal and other types of crypto-ransomware. We discussed three prevention measures that organizations can take to protect against PonyFinal. Their purpose is to avoid brute-force attacks that allow fraudsters to install PonyFinal on the targeted computers. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Microsoft warns about attacks with the PonyFinal ransomware, ZDNet
  2. Human-operated ransomware attacks: A preventable disaster, Microsoft
  3. Mori and J. Malik, "Recognizing objects in adversarial clutter: breaking a visual CAPTCHA," IEEE
  4. Techniques for preventing a brute force login attack, Computer Weekly
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.