Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:45 PM
Connect Directly

New 'Tycoon' Ransomware Strain Targets Windows, Linux

Researchers say Tycoon ransomware, which has targeted software and educational institutions, has a few traits they haven't seen before.

A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.

The discovery began when KPMG's UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry's Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is "limited," researchers say, suggesting it may be a highly targeted threat.

In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.

Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry's team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum.

"They really understood the environment," says Eric Milam, vice president of Guard Services at Blackberry. "It's not a shock why they chose ransomware … [they] were able to cause the maximum amount of damage across platforms."

Once they established a foothold in the target organization, he says, it was "off to the races." After a week, attackers targeted only the main servers with a clear indication of crippling the infrastructure and ensuring a ransom payment.

Tycoon Adds New Twist to Ransomware
Tycoon is deployed as a Trojanized Java Runtime Environment (JRE) and compiled into a Java image file (JIMAGE), a special file format that stores custom JRE images and is designed to be used by the Java Virtual Machine (JVM) at runtime. JIMAGE holds resources and class files of all Java modules that support the specific JRE build. Unlike the more popular Java Archive format (JAR), JIMAGE is mostly internal to the Java Development Kit (JDK). Developers rarely use it.

"Because JIMAGE is more used internally by Java, it's a very nice way to hide," says Claudiu Teodorescu, director of BlackBerry's threat hunting and intelligence operations, noting that businesses may assume the activity is coming from an internal developer. "This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off." 

The use of a JIMAGE file is "completely new" to ransomware, adds Milam. JIMAGE isn't normally parsed by antivirus and may appear to be a standard component or library in the SDK. "There's not a lot of reason to question [it]," he says. Researchers note the malicious JRE build contains both Windows and Linux versions of a shell script that triggers that ransomware when executed, suggesting Linux servers are also targets.

Because the attackers used an asymmetric RSA algorithm to encrypt the AES keys, file decryption requires obtaining the attacker's private RSA key. Researchers note some victims may not have needed to pay: In a BleepingComputer forum, a Tycoon victim posted a private RSA key that presumably came from a decryptor they bought from the attackers. This key could be used to decrypt files infected with the earliest version of Tycoon, which had a .redrum extension.

Researchers also noticed an overlap between Tycoon and the Dharma/CrySIS ransomware — in particular, the email addresses, ransom note text, and naming convention for encrypted files. Dharma/CrySIS appeared last year and didn't go away, Teodorescu says. When Tycoon appeared in December, researchers noticed the .redrum extension, which was also seen in the earlier Dharma/CrySIS campaigns. Like Tycoon, Dharma/CrySIS exploited weak credentials on RDP to break in. While there was no mention of Java in these attacks, the attackers were also living off the land.

Malware writers are constantly seeking new ways to evade detection, researchers state in their blog post. Now, they say, attackers are moving away from conventional obfuscation and toward uncommon programming languages and obscure data formats. They note a "substantial increase" in ransomware written in Java, Go, and other languages. 

For businesses that want to better protect against Tycoon, Teodorescu advises first making sure they know their infrastructure: "Have a clear methodology of auditing credentials, patching your operating system, patching web servers, [and] making sure you have cyber hygiene methodology in place for your organization," he says.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...