A Unique Attack – Tycoon ransomware

LIFARS-Ransomware-Advisory-Complimentary-Consulting-on-Ransomware-Attacks

A new and undiscovered ransomware is targeting Windows and Linus PCs and it names Tycoon after reference in the code. This ransomware has been seen active since December 2019 and it looks that they have highly selective targets. The main targets of this ransomware are education and software industries. In addition, this ransomware uses a very different type of technique that helps them stay hidden.

Tycoon ransomware is written in Java deployed as a trojanised Java Runtime Environment and is compiled in a Java image file (Jimage) to hide the malicious intentions. To study in depth and perform more research on the Tycoon ransomware, Blackberry’s researchers and security analysts are working together.

Eric Milan who is the VP for research and intelligence at BlackBerry added that these are both unique methods and Java is not often to write endpoint malware as it requires the Java Runtime Environment to execute the code, and image files are also not often used for malware attacks. “Attackers are shifting towards uncommon programming languages and obscure data formats. Here, the attackers did not need to obscure their code but were nonetheless successful in accomplishing their goals,” he added.

However it has the common vector for malware campaigns and exploits weak servers. Once the malware is inside the network, the attackers use Image File Execution Option (IFEO) settings and use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack. Once the execution of the code is finished, the ransomware encrypts the network with files (extensions including .redrum, .grinch, and .thanos). The last step of every ransomware attack is to demand a ransom via bitcoin in the exchange of decrypt keys.

Tycoon ransomware could be linked to another form of ransomware such as Dharma as these both types of ransomware have similarities in the email addresses, name of encrypted files and text of the ransom note. Dharma ransomware is also known as Crysis which is a high-risk ransomware -type virus and it uses encrypted stored files using asymmetric cryptography.

Moreover, with the increased concerns of the global pandemic Covid-19, cyber criminals have incorporated into their scams and this has been observed in the Dharma ransomware as well.

Mitigation and Prevention from the ransomware   

          As Tycoon ransomware have some unique methods of attacking technique, it is difficult to prevent them. In order to protect the system, a person should have enough knowledge about the ransomware. However, the ransomware is still undiscovered and uses Java code and images to spread the malware. Remote Desktop Protocol (RDP) is a common means of compromise and every organization should start with the RDP to protect the system from malware. Updating and applying security patches prevents many ransomware attacks as it stops attackers to exploit the vulnerabilities. Backup data and backup networks are the most important for the immediate recovery of the company and to get back to the business. The company should always prepare for the worst-case scenario and should take the precautions to avoid the worst case scenario.