Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:45 PM
Connect Directly

New 'Tycoon' Ransomware Strain Targets Windows, Linux

Researchers say Tycoon ransomware, which has targeted software and educational institutions, has a few traits they haven't seen before.

A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.

The discovery began when KPMG's UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry's Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is "limited," researchers say, suggesting it may be a highly targeted threat.

In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.

Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry's team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum.

"They really understood the environment," says Eric Milam, vice president of Guard Services at Blackberry. "It's not a shock why they chose ransomware … [they] were able to cause the maximum amount of damage across platforms."

Once they established a foothold in the target organization, he says, it was "off to the races." After a week, attackers targeted only the main servers with a clear indication of crippling the infrastructure and ensuring a ransom payment.

Tycoon Adds New Twist to Ransomware
Tycoon is deployed as a Trojanized Java Runtime Environment (JRE) and compiled into a Java image file (JIMAGE), a special file format that stores custom JRE images and is designed to be used by the Java Virtual Machine (JVM) at runtime. JIMAGE holds resources and class files of all Java modules that support the specific JRE build. Unlike the more popular Java Archive format (JAR), JIMAGE is mostly internal to the Java Development Kit (JDK). Developers rarely use it.

"Because JIMAGE is more used internally by Java, it's a very nice way to hide," says Claudiu Teodorescu, director of BlackBerry's threat hunting and intelligence operations, noting that businesses may assume the activity is coming from an internal developer. "This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off." 

The use of a JIMAGE file is "completely new" to ransomware, adds Milam. JIMAGE isn't normally parsed by antivirus and may appear to be a standard component or library in the SDK. "There's not a lot of reason to question [it]," he says. Researchers note the malicious JRE build contains both Windows and Linux versions of a shell script that triggers that ransomware when executed, suggesting Linux servers are also targets.

Because the attackers used an asymmetric RSA algorithm to encrypt the AES keys, file decryption requires obtaining the attacker's private RSA key. Researchers note some victims may not have needed to pay: In a BleepingComputer forum, a Tycoon victim posted a private RSA key that presumably came from a decryptor they bought from the attackers. This key could be used to decrypt files infected with the earliest version of Tycoon, which had a .redrum extension.

Researchers also noticed an overlap between Tycoon and the Dharma/CrySIS ransomware — in particular, the email addresses, ransom note text, and naming convention for encrypted files. Dharma/CrySIS appeared last year and didn't go away, Teodorescu says. When Tycoon appeared in December, researchers noticed the .redrum extension, which was also seen in the earlier Dharma/CrySIS campaigns. Like Tycoon, Dharma/CrySIS exploited weak credentials on RDP to break in. While there was no mention of Java in these attacks, the attackers were also living off the land.

Malware writers are constantly seeking new ways to evade detection, researchers state in their blog post. Now, they say, attackers are moving away from conventional obfuscation and toward uncommon programming languages and obscure data formats. They note a "substantial increase" in ransomware written in Java, Go, and other languages. 

For businesses that want to better protect against Tycoon, Teodorescu advises first making sure they know their infrastructure: "Have a clear methodology of auditing credentials, patching your operating system, patching web servers, [and] making sure you have cyber hygiene methodology in place for your organization," he says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.