Recent reports show another ransomware going after PC’s loaded with the Windows and Linux operating systems in what appears to be a targeted campaign.
The ransomware is named Tycoon, as a reference to portions of its code, and has been active since December of 2019 and looks to be the work of highly selective cybercriminals in terms of who they are targeting. This malware also uses an uncommon deployment technique that helps stay hidden on compromised computers.
Tycoon Utilizes Java Code
Tycoon was uncovered by researchers at BlackBerry and analysts at KPMG. It’s an unusual form of ransomware because it’s written in Java, deployed as a trojanized Java Runtime Environment and is compiled in a Java image file to hide its malicious intentions.
“These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks,” Eric Milam, VP for research and intelligence at BlackBerry, told website ZDNet.
“Attackers are shifting towards uncommon programming languages and obscure data formats. Here, the attackers did not need to obscure their code but were nonetheless successful in accomplishing their goals,” he added.
The first stage of Tycoon ransomware attacks comes via insecure internet-facing RDP servers. This is also a common attack technique for malware campaigns, and it often exploits servers with weak passwords.
After infiltration, the attackers use Image File Execution Options injection settings that more often provide developers with the ability to debug software. The attackers exploit privileges to disable anti-malware software using ProcessHacker to prevent the removal of Tycoon.
“Ransomware can be implemented in high-level languages such as Java with no obfuscation and executed in unexpected ways,” said Milam.
After the Tycoon files are run, the ransomware encrypts files that are given extensions including .redrum, .grinch and .thanos – and the attackers demand a ransom in exchange for the decryption key. Payment is requested in bitcoin, and the price depends on how quickly the victim gets in touch via email.
Researchers believe that Tycoon is linked to another form of ransomware, Dharma – also known as Crysis – due to similarities in the names of encrypted files, email addresses, and the content of the ransom note.
As RDP becomes a more common means of compromise, organizations should ensure that the only ports facing outward to the Internet are those that require it as an absolute necessity.
Entities should also ensure that accounts that do need access to these ports do not use default credentials or weak passwords that can be cracked easily.
Lastly, applying security patches when they’re released can also prevent many ransomware attacks. Companies should also regularly backup their network so that if the worst happens and they are infected with Tycoon, the network can be restored without giving into the demands of cybercriminals.
