Microsoft issues warning about new PonyFinal ransomware attacks
PonyFinal attackers “looking for targets of opportunity," says Misner

Microsoft Security Intelligence posted a series of tweets urging companies to implement protections against PonyFinal, a new ransomware that’s been active for the last two months.
PonyFinal, according to Microsoft Security Intelligence, is not an automated threat. Rather, it has humans pulling its reins. Hackers must manually propagate the ransomware via an MSI file containing two batch files and the ransomware payload.
Per the experts, PonyFinal uses a secure encryption scheme, meaning that encrypted files can’t be recovered either. Unfortunately, Microsoft says, these attackers have compromised their targets for several months and been patiently waiting for the perfect opportunity to monetize their cyberattacks.
“PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload,” a tweet from Microsoft Security Intelligence reads.
"These attackers are looking for targets of opportunity," Phillip Misner, Security Program Manager at Microsoft explained in an interview with Dark Reading.
Misner added that PonyFinal operators don’t discriminate when it comes to choosing targets either. PonyFinal has already targeted victims in the U.S., India and Iran. It’s taken aim at the health care and financial sectors specifically.
“So far, the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding,” researchers explained in April. “These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.”
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Human-operated ransomware like PonyFinal is nothing new. Ransomware similar to PonyFinal has been growing more popular as attackers try to maximize ransom from individual targets. Other human-operated ransomware campaigns similar to PonyFinal include Bitpaymer, Ryuk, REvil and Samas.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years