Researchers detail the unusual workings of Tycoon ransomware – which appears to be designed to stay under the radar as much as possible.
A newly uncovered form of ransomware is going after Windows and Linux systems in what appears to be a targeted campaign.
Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cyber criminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks.
Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It’s an unusual form of ransomware because it’s written in Java, deployed as a trojanised Java Runtime Environment and is compiled in a Java image file (Jimage) to hide the malicious intentions.
“These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks,” Eric Milam, VP for research and intelligence at BlackBerry, told ZDNet.
“Attackers are shifting towards uncommon programming languages and obscure data formats. Here, the attackers did not need to obscure their code but were nonetheless successful in accomplishing their goals,” he added.
However, the first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing RDP servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords.
Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack.