Security experts have recently come across a new ransomware that targets Linux and Windows systems. The ransomware called Tycoon ransomware, targets systems across a number of industries. Researchers up at BlackBerry Research and Intelligence Team and KPMG’s UK cyber response services have given the name Tycoon ransomware after discovering it. According to them, this particular strain of malware is affecting SMBs in the software industry and educational institutions alike. What makes this malware even more potent is that it affects not only one system but two- Linux as well as Windows. These are the two commonly used systems across the globe.
The team further discovered that the malware has to be manually deployed with the malignant persons targeting individual systems as well as connecting to an RDP server. After this, the said person infiltrates using local credentials. After securing access to the system, the person then begins to uninstall any antivirus that may be on the system. Shortly afterwards, a application called ProcessHacker is installed.
Once Tycoon Ransomware has been installed onto a system, it begins to encrypt files from the server. Then a ransom is sort from the said victim. According to experts the ransomware targets both Linux and Windows meaning the attack is quite widespread.
The experts up at BlackBerry have also said that it is common for malware writers to use obscure coding and languages to fly under the radar. That is why the use of Java and Go is common with malware writers. But this is the first time they have encountered a malware that takes advantage of Java JIMAGE format to create a JRE build.
Tycoon ransomware comes in the format of a trojanized Java Runtime Environment or JRE for short. This helps the ransomware to avoid detection by piggy backing on a Java Image format. The settings for this java Image are deliberately put in settings to give developers the option of debugging their software. To do this they would first have to install a debugging application. This is how malware writers gain access to a particular system.
Experts in the field have said that the malware has been in existence for six months now. But the number of attacks have been small. This shows that the attacks are specifically targeted. Besides this it also shows that the malware writers are working on different ways of targeting a host system, in order to see which method works the best.
The ransomware was called “Tycoon” after discovering various references in the coding to the word Tycoon. The ransomware has been in existence since 2019 and has specific targets in mind.
The fact that malware writers have used Java and JRE to piggy back onto systems is very unusual. Experts have seldom seen such a method. Besides gaining access to a system, malware writers also seek to remove any existing antivirus on the system.
More on Tycoon ransomware:
The team further discovered that the malware has to be manually deployed with the malignant persons targeting individual systems as well as connecting to an RDP server. After this, the said person infiltrates using local credentials. After securing access to the system, the person then begins to uninstall any antivirus that may be on the system. Shortly afterwards, a application called ProcessHacker is installed.
What does Tycoon ransomware do?
Once Tycoon Ransomware has been installed onto a system, it begins to encrypt files from the server. Then a ransom is sort from the said victim. According to experts the ransomware targets both Linux and Windows meaning the attack is quite widespread.
The experts up at BlackBerry have also said that it is common for malware writers to use obscure coding and languages to fly under the radar. That is why the use of Java and Go is common with malware writers. But this is the first time they have encountered a malware that takes advantage of Java JIMAGE format to create a JRE build.
The JRE Build:
Tycoon ransomware comes in the format of a trojanized Java Runtime Environment or JRE for short. This helps the ransomware to avoid detection by piggy backing on a Java Image format. The settings for this java Image are deliberately put in settings to give developers the option of debugging their software. To do this they would first have to install a debugging application. This is how malware writers gain access to a particular system.
How far has Tycoon ransomware reached?
Experts in the field have said that the malware has been in existence for six months now. But the number of attacks have been small. This shows that the attacks are specifically targeted. Besides this it also shows that the malware writers are working on different ways of targeting a host system, in order to see which method works the best.
Why the Name Tycoon?
The ransomware was called “Tycoon” after discovering various references in the coding to the word Tycoon. The ransomware has been in existence since 2019 and has specific targets in mind.
The fact that malware writers have used Java and JRE to piggy back onto systems is very unusual. Experts have seldom seen such a method. Besides gaining access to a system, malware writers also seek to remove any existing antivirus on the system.