Beware of Tycoon—the Ransomware Targeting Windows and Linux Systems. Windows and Linux systems are in the cyber-crosshairs of a recently uncovered ransomware, in what appears to be a targeted campaign.
Tycoon is a multi-platform Java ransomware that is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format that enables it to fly under the radar as much as possible.
Tycoon has been observed in the wild since at least December 2019 and mainly targets small- to medium-sized companies and institutions in the education and software industries.
An attack timeline
- The attacker connects to the systems using a remote desktop protocol (RDP) server on the organization’s network.
- The attacker finds an interesting target and manages to secure local admin credentials.
- The attacker installs Process Hacker as a service and disables the antivirus software.
- The attacker drops a backdoor and leaves the network.
- The attacker connects to the RDP server and uses it as a pivot point to move laterally across the network.
- The attacker makes RDP connections to each system one after the other. (Analysis of this activity suggests manual initiation of the RDP connection for each server.)
- The attacker runs Process Hacker as a service and disables the antivirus software.
- The attacker runs a batch file to execute the ransomware.
- The attacker follows the same process for each infected server on the network.
It must be noted, however, that due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants.
Unique and noteworthy techniques
In their analysis of the victim machines, the BlackBerry research team found that some of the techniques used by the attacker were unusual and noteworthy:
- Use of IFEO injection
The attackers used a technique called Image File Execution Options injection to achieve persistence on the victim’s machine. The settings for IFEO are stored in the Windows registry. These settings allow developers to debug their software through the attachment of a debugging application during the execution of a target application.
- Execution of a backdoor
This was performed alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system
- Disabling of anti-malware solution
The attackers disabled the organization’s anti-malware solution using the Process Hacker utility and changed the passwords for Active Directory servers. Because of this, the victim cannot access their systems.
Most of the attacker files were time-stamped, including the Java libraries and the execution script.
- Executing the ransomware module
Finally, the attackers executed the Java ransomware module and encrypted all file servers, including any backup systems connected to the network.
Tycoon ransomware comes in form of a ZIP archive containing a Trojanized Java Runtime Environment (JRE) build. The malware is compiled into a Java image file (JIMAGE) located at lib\modules within the build directory.
JIMAGE is a special file format that stores custom JRE images. It is designed to be used by the Java Virtual Machine (JVM) at runtime and encompasses resources and class files of all Java modules that support the specific JRE build. Java version 9 first introduced this sparsely documented format. Unlike the popular Java Archive format (JAR), JIMAGE is rarely used by developers and is mostly internal to the Java Development Kit.
After execution, the ransomware encrypts the network with files encrypted by Tycoon-given extensions, which include the following
In exchange for the decryption key, the attackers then demand a ransom payment in bitcoin and claim the price depends on how quickly the victim gets in touch via e-mail.
The campaign is still ongoing, pointing to considerable success by attackers in extorting payments from their victims.
Trajectory and links
So far, Tycoon has been noted to have only targeted Windows in the wild; however, shell scripts in the ransomware’s Java modules contain both Windows and Linux variants, which suggest a build that targets Linux.
Researchers suggest a potential link between Tycoon and another form of ransomware, Dharma (also known as Crysis), given the similarities in the email addresses, names of encrypted files, and the ransom note text.
Security measures to outsmart Tycoon
- With RDP being a common point of compromise, make sure that the only ports facing outward to the Internet are only those that absolutely require it.
- Ensure that accounts that do need access to Internet-facing ports aren’t using default credentials or weak passwords that can easily be cracked. (Address credential and password threats with multifactor authentication and/or single sign-on.)
- Apply security patches as they’re released to prevent criminals from exploiting known vulnerabilities.
- Regularly back up your network, and ensure a reliable backup—so that if the worst happens, the network can be restored without giving in to the demands of cybercriminals.
Address the vulnerabilities in your system with passwordless multifactor authentication and single-sign on login for a layered defense against ransomware.
Explore TraitWare’s enterprise-class solutions for your business.