Microsoft has issued a security alert warning organizations about ongoing attacks using a new piece of ransomware called PonyFinal that has been in the wild over the past two months.

In a series of tweets Microsoft’s Threat Intelligence Team said that PonyFinal is Java-based ransomware that is manually deployed by attackers. The PonyFinal ransomware, which appeared on the cybercrime scene earlier this year, has been seen in the attacks against victims in India, Iran, and the United States.

However, the researchers said, organizations should focus less on the payload of PonyFinal and instead pay more attention to how the malware is delivered.

“PonyFinal is at the tail end of protracted human-operated ransomware campaigns that are known to stay dormant and wait for the most opportune time to deploy the payload,” the researchers said.

In the observed attacks, the PonyFinal operators have been seen gaining access via brute force attacks against a target company's systems management server. They have deployed a VBScript to run a PowerShell reverse shell to perform data dumps, as well as a remote manipulator system to bypass event logging.

Once the attackers gained the foothold on the target’s network, they will move laterally to infect other systems with the ransomware.

“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft explained.

The PonyFinal malware usually adds the “.enc” extension to the names of the encrypted files and drops a ransom note, which is a simple text file, containing payment instructions.

Researchers warn that the encryption scheme of the PonyFinal ransomware is secure and there is no way, at least for now, to recover encrypted files.