New ‘Tycoon’ Ransomware Strain Targets Windows, Linux
Researchers say Tycoon ransomware, which has targeted software and educational institutions, has a few traits they haven’t seen before.
A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.
The discovery began when KPMG’s UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry’s Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is “limited,” researchers say, suggesting it may be a highly targeted threat.
In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.
Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry’s team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum.
“They really understood the environment,” says Eric Milam, vice president of Guard Services at Blackberry. “It’s not a shock why they chose ransomware … [they] were able to cause the maximum amount of damage across platforms.”
Once they established a foothold in the target organization, he says, it was “off to the races.” After a week, attackers targeted only the main servers with a clear indication of crippling the infrastructure and ensuring a ransom payment.
Tycoon Adds New Twist to Ransomware
Tycoon is deployed as a Trojanized Java Runtime Environment (JRE) and compiled into a Java image file (JIMAGE), a special file format that stores custom JRE images and is designed to be used by the Java Virtual Machine (JVM) at runtime. JIMAGE holds resources and class files of all Java modules that support the specific JRE build. Unlike the more popular Java Archive format (JAR), JIMAGE is mostly internal to the Java Development Kit (JDK). Developers rarely use it.
“Because JIMAGE is more used internally by Java, it’s a very nice way to hide,” says Claudiu Teodorescu, director of BlackBerry’s threat hunting and intelligence operations, noting that businesses may assume the activity is coming from an internal developer. “This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off.”
The use of a JIMAGE file is “completely new” to ransomware, adds Milam. JIMAGE isn’t normally parsed by antivirus and may appear to be a standard component or library in the SDK. “There’s not a lot of reason to question [it],” he says. Researchers note the malicious JRE build contains both Windows and Linux versions of a shell script that triggers that ransomware when executed, suggesting Linux servers are also targets.
Because the attackers used an asymmetric RSA algorithm to encrypt the AES keys, file decryption requires obtaining the attacker’s private RSA key. Researchers note some victims may not have needed to pay: In a BleepingComputer forum, a Tycoon victim posted a private RSA key that presumably came from a decryptor they bought from the attackers. This key could be used to decrypt files infected with the earliest version of Tycoon, which had a .redrum extension.
Researchers also noticed an overlap between Tycoon and the Dharma/CrySIS ransomware — in particular, the email addresses, ransom note text, and naming convention for encrypted files. Dharma/CrySIS appeared last year and didn’t go away, Teodorescu says. When Tycoon appeared in December, researchers noticed the .redrum extension, which was also seen in the earlier Dharma/CrySIS campaigns. Like Tycoon, Dharma/CrySIS exploited weak credentials on RDP to break in. While there was no mention of Java in these attacks, the attackers were also living off the land.
Malware writers are constantly seeking new ways to evade detection, researchers state in their blog post. Now, they say, attackers are moving away from conventional obfuscation and toward uncommon programming languages and obscure data formats. They note a “substantial increase” in ransomware written in Java, Go, and other languages.
For businesses that want to better protect against Tycoon, Teodorescu advises first making sure they know their infrastructure: “Have a clear methodology of auditing credentials, patching your operating system, patching web servers, [and] making sure you have cyber hygiene methodology in place for your organization,” he says.