Tycoon Ransomware Aims at Software and Education Sector

Since December 2019, a new strain of human-operated ransomware has been seen in sophisticated attacks, targeting small to mid-size enterprises in the software and education sector.

What is this ransomware like?

  • Named by the security researchers of BlackBerry Threat Intelligence and KPMG, Tycoon is a Java-based multi-platform ransomware that can be employed to encrypt Windows as well as Linux devices.
  • Through vulnerable and exposed RDP servers, the attackers penetrate the victims’ networks and manually deploy the malware as a ZIP archive comprising a Trojanized Java Runtime Environment (JRE) framework.
  • According to the Blackberry and KPMG research, the resemblance in some of the email addresses, ransom notes, and nomenclature of encrypted files indicates a link between Tycoon and CrySIS ransomware.

Tracing Tycoon’s Activities

  • After attacking the domain controller and file servers of an organization in April 2020, the Tycoon ransomware locked system administrators out of their systems. In the attack, the initial infringement occurred through an Internet-exposed RDP jump-server.
  • The analysis of encrypted devices showed that Image File Execution Options (IFEO) injection was leveraged to install a backdoor to the Microsoft Windows On-Screen Keyboard (OSK) feature.
  • The attackers encrypted every file server and network backups by planting the Java ransomware module. They altered the Active Directory passwords to avoid access to the compromised servers and used ProcessHacker to disable the anti-malware solution.

How capable is Tycoon?

  • Tycoon employs the JIMAGE format to develop malicious custom JRE frameworks executed with a shell script.
  • Since this malicious JRE framework contains a Windows batch file as well as a Linux shell, the researchers think Tycoon can easily encrypt Linux servers.
  • As the malware uses asymmetric RSA algorithms to encrypt the secured AES keys, the file decryption requires acquiring the attacker’s private RSA keys.

The never-ending list of human-operated ransomware

  • Last month, Microsoft shared information on another Java-based, manually deployed ransomware, PonyFinal. The ransomware was employed to perform encryption across the victim’s network after exploiting their management server and targeting endpoints with already installed JRE.
  • In addition to Tycoon and PonyFinal, the list of human-operated ransomware is endless, which includes ransomware such as Maze, RobbinHood, Sodinokibi, Vatet loader, NetWalker, RagnarLocker, Paradise, LockBit, and MedusaLocker.