Cyber Security

Tycoon Ransomware Targets Windows and Linux Systems

Tycoon ransomware is one of the latest cyber-threats deployed in cyberattacks against small to medium size software organizations and education industries. Tycoon ransomware was first seen in December 2019. Researchers have discovered variants of the Java-based ransomware Tycoon that are capable of targeting Windows and Linux systems.

“This is the first time they’ve seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.”  - Statement by BlackBerry 

Tycoon Ransomware is Manually Deployed

Security researchers found that Tycoon ransomware is manually deployed, with the attackers targeting individual systems and connecting via RDP server. Once a target is identified and infiltrated using local administrator credentials, the malware operator disables any antivirus software and installs ProcessHacker, a hacker-as-a-service utility. 

Tycoon takes the form of a Java Runtime Environment (JRE) and piggy-backs on an obscure Java image format (JIMAGE) to infiltrate a targeted machine, Doing this means that the ransomware passes by antivirus detection without being spotted. Since the JRE build contains both a Windows batch file and a Linux shell, security researchers suggest that malware operators can use Tycoon to encrypt both Windows and Linux servers.

Figure 1: Image: Java image file format (JIMAGE)

Infographic showing tycoon ransomware attack flow

Screenshot of the ransom software module complied with JIMAGE. Source: Small Tech News

Once the ransomware infiltrates the victims’ networks using vulnerable RDP servers, it encrypts the files stored on the systems. According to security researchers, malware operators use a strong, off-the-shelf encryption algorithm to lock the victims’ files in exchange for a ransom payment, usually demanded in cryptocurrency, as shown in the ransom note below. 

Figure 2: Image: Tycoon Ransomware Ransom Note

tycoon ransomware ransom note.

Caption: The ransom note informs the victims what to do to recover their files. Source: Small Tech News

Unfortunately, even if the victims pay the ransom fee, their data is not always decrypted. Therefore, the cybersecurity community warns that paying the ransom is not recommended as it only motivates threat actors to carry out more ransomware campaigns. 

Tycoon Ransomware Campaign is Still Ongoing

A rather disturbing fact about Tycoon ransomware is that the malware campaigns involving Tycoon continue to this day. Until now, security researchers have only seen Tycoon targeting Windows systems, but shell scripts in the ransomware's Java modules contain both Windows and Linux variants.

Due to the similarities in the email addresses, names of encrypted files, and the text of the ransom notes, the researchers suggest that Tycoon could be linked to Dharma ransomware (a.ka. Crysis ransomware), though this claim is not confirmed and analysis of the ransomware continues.

There is No Decryptor for the New Tycoon Ransomware

Currently, there is no decryptor for the latest version of Tycoon ransomware. Since it uses asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker's private RSA key. However, “Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power”, security researchers say.

Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button