Tycoon ransomware is a human-operated threat that has been deployed in cyberattacks against small- to medium-sized software organizations and education industries since December 2019. Researchers have discovered variants of the Java-based ransomware Tycoon capable of targeting both Windows- and Linux-based systems.
“This is the first time they’ve seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.”
- Statement by BlackBerry
Tycoon Ransomware is Manually Deployed
Security researchers found that Tycoon ransomware is manually deployed, with the attackers targeting individual systems and connecting via an RDP server. Once a target is identified and infiltrated using local administrator credentials, the malware operator disables any antivirus software and installs ProcessHacker, a hacker-as-a-service utility.
To infiltrate a targeted machine, Tycoon takes the form of a Java Runtime Environment (JRE) that cannot be detected by piggybacking on an obscure Java image format (JIMAGE). Since the JRE build contains both a Windows batch file and a Linux shell, security researchers suggest that malware operators can use Tycoon to encrypt Windows and Linux servers alike.
Once the ransomware infiltrates the victims’ networks using vulnerable RDP servers, it encrypts the files stored on the systems. According to security researchers, malware operators use a robust and off-the-shelf encryption algorithm to lock the victims’ files in exchange for a ransom payment that is usually demanded in cryptocurrency.
Unfortunately, even if the victims pay the ransom fee, their data is not always decrypted. Therefore, the cybersecurity community warns that paying the ransom is not recommended as it only motivates bad actors to carry out more ransomware campaigns.
Links to Dharma ransomware?
A rather disturbing fact about Tycoon ransomware is that the malware campaigns involving the malware plagued computer users for months on end. Due to the similarities in the email addresses, names of encrypted files, and the text of the ransom notes, the researchers suggest that Tycoon could be linked to Dharma ransomware (a.ka. Crysis ransomware). However, this claim is not confirmed, and the malware analysis continues.
There is No Decryptor for the New Tycoon Ransomware
No decryption tools were available when the Tycoon ransomware was circulated. Since it uses an asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker's private RSA key. However, “Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power”, security researchers say.