Print
A newly uncovered form of ransomware is going after Windows and Linux systems in what appears to be a targeted campaign. Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cybercriminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks. The main targets of Tycoon are organizations in the education and software industries. Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It's an unusual form of ransomware because it's written in Java, deployed as a trojanized Java Runtime Environment, and is compiled in a Java image file (Jimage) to hide the malicious intentions. "These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks," Eric Milam, VP for research and intelligence at BlackBerry, told ZDNet. "Attackers are shifting towards uncommon programming languages and obscure data formats. Here, the attackers did not need to obscure their code but were nonetheless successful in accomplishing their goals," he added. However, the first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing RDP servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop the removal of their attack. "Ransomware can be implemented in high-level languages such as Java with no obfuscation and executed in unexpected ways," said Milam. After execution, the ransomware encrypts the network with files encrypted by Tycoon given extensions including .redrum, .grinch, and .thanos – and the attackers demand a ransom in exchange for the decryption key. The attackers ask for payment in bitcoin and claim the price depends on how quickly the victim gets in touch via email. Get better informed by visiting OUR FORUM.