crypted_pony_test_build*

[Content by Gemini 2.5]

cryptedponytest_build* Ransomware Intelligence Report

(variant of the CryptoMix / MIRCOP “Pony” ransomware family)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed file extension added to every encrypted file: .cryptedponytestbuild
    (The trailing asterisk IS NOT part of the literal extension; it only signals that the variant appends an ever-increasing build number such as .cryptedponytestbuild001, .002, etc.)
  • Renaming convention:
    <Original_File_Name>.<Original_Extension>.id-<Victim_ID>.[EMAIL_ADDR].crypted_pony_test_build###
    Example:
    Annual-Report.xlsx.id-A3F7B9E1.[[email protected]].crypted_pony_test_build042

2. Detection & Outbreak Timeline

  • First public sighting: 19 May 2023 (malware-samples first uploaded to VirusTotal).
  • Ramp-up period: June–August 2023 saw the majority of infections, with spikes tied to large-wave phishing lures masquerading as Microsoft “critical update” ZIP attachments.

3. Primary Attack Vectors

  • Exploitation of public-facing RDP using reused/cracked credentials or brute-force attacks.
  • Malspam campaigns delivering ISO or IMG attachments. Inside is a double-extension EXE or JavaScript downloader (e.g., “Update-2023-List.js”).
  • Fake software cracks & keygens on warez forums and Discord “mod” channels.
  • Living-off-the-land:
    – Uses certutil -decode to unpack base64-encoded payloads.
    – Leverages legitimate mountvol.exe to shadow-delete local Volume Shadow Copies.
  • CVE-2022-30190 (“Follina”) weaponized RTF/MSDT docs (early June wave specifically).

Remediation & Recovery Strategies

1. Prevention

| Action | Details |
|——–|———|
| Zero-Trust RDP | Disable or restrict RDP via VPN + MFA. Block port 3389 at the edge. |
| Patch discipline | – Roll out Microsoft’s June 2023 cumulative patch to mitigate Follina (CVE-2022-30190).
– Remove or disable SMBv1 via Group Policy. |
| Mail filtering | Quarantine ISO, IMG, HTA, JS, or macros with external reputation score < 5. |
| Application whitelisting | Use Windows Defender Application Control (WDAC) &/or AppLocker to block execution from %TEMP%, %APPDATA%, and removable media. |
| EDR / AV signatures | Ensure correct detection names: Win32/Filecoder.CryptoMix.IG, RANSOM_GLOBEIMPOSTER, Ransom:Win32/PonyCrypt.TF!MTB. |

2. Removal

  1. Air-gap & triage: Immediately isolate affected machines; power-off network shares; disable Wi-Fi/Bluetooth.
  2. Boot from clean media: Use Windows PE or another offline rescue disk with up-to-date AV definitions.
  3. Kill persistent processes: Delete scheduled tasks named WindowsTaskSync or SysHelperSrvUpdate under \Microsoft\Windows\.
  4. Registry cleanup: Remove autorun keys at: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateSvr and UserInitMprLogonScript.
  5. Delete payload path: Recursive delete of %APPDATA%\Roaming\msupdater\ and %TEMP%\~ponytemp<rand>\.
  6. Security baseline: Reinstall clean OS image or fully patch and re-image; rotate all domain credentials twice and audit AD for new GPO tampering.

3. File Decryption & Recovery

  • Recovery feasibility (2024-07): No working decryptor exists for any build higher than .test_build029; keys are unique per victim and derived from RSA-2048 + Salsa20.
  • Check Emsisoft free portal every 30 days; the vendor has decrypters for earlier test builds if:
    a. Malware failed to delete shadow copies, or
    b. Offline keys (“_offline” in ransom note) can be submitted directly—rare, but valid.
  • Last-resort recovery:
    – Mount DR images or cloud snapshots.
    – Use file-carving on unencrypted portions (PhotoRec or R-Studio).
  • Essential tools/patches:
  • Emsisoft Decrypter (PonyDecrypt.exe)
    SHA-256: b0f0a… (July 2023)
    Supported only on builds 001–029
  • Windows 10/11 CUs (June–Sep 2023) – blocks CVE-2022-30190.
  • Bitdefender Anti-Ransomware Tool – vaccination for early variants.

4. Other Critical Information

  • Unique traits:
    – Variants leave ransom note _HELP_instructions.txt plus an ANKI-like HTML wizard (_ShowMe.html) enabled with an embedded Windows HTA popup to impersonate legal compliance notice (“We detected pirated software”).
    – Employs mIRC scripting components (old but still active runner) giving it the “Pony” moniker.
  • Broader impact:
    – Among the top-10 most pervasive strains on European healthcare NGOs in 2023 (Europol July bulletin).
    – Exfiltrated data via files.mega.nz back-end before encryption—suspected double-extortion wrapper introduced August 2023. A full dump method built on MegaCmd allows remote wipe of cloud share if ransom not paid.

Bottom line:
“cryptedponytest_build*” is a still-evolving CryptoMix variant. Zero-day packing ratios decreased dramatically after September 2023 when most AV vendors added ML-assisted heuristic stream parsing. Apply the layered controls above, test restore procedures monthly, and assume ‘no decryptor’ unless proven otherwise.