Tycoon Ransomware Targeting Windows and Linux Systems

A new ransomware is active on the web, one that threatens the education and corporate sectors. Called Tycoon, this ransomware targets Windows and Linux systems around the world.

Researchers from the Blackberry security team, alongside KPMG analysts, managed to uncover the new ransomware. What makes this particular ransomware different is its reliance on using Java. It is based in Java and deploys as a Trojan-like Java Runtime Environment (JRE), hiding as a Java image file. That allows the ransomware a certain level of stealth. Once it reaches the targets, it encrypts files, adding the .redrum extension to the affected data. In other versions, it adds .redrum3_0 and .grich and .thanos as well. Beyond the encryption, the ransomware may also ensure no data recovery, as it overwrites the deleted files. The encrypted data remains undamaged and blocked behind an AES-256 algorithm in the Galois/Counter (GCM) mode.

This Week in Malware Ep9: Java-Based Tycoon Ransomware Targets Windows & Linux PCs

The encryption process happens in parts, skipping parts of large data files. That allows the encryption to happen quickly while making the files impossible to access by users. The researchers are suspecting a link between the Dharma ransomware and Tycoon at this time. Certain overlaps of email addresses and the text of the ransom note and the encrypted files pattern of naming suggest a possible link between the two.

The Malware Aims at Specific Targets

Researchers found out the malware was active since December 2019, but despite being around for months, it wasn't spreading too quickly. It was very explicitly aiming at specific victims instead. The "This Week in Malware" video below gives an in depth synopsis of how the Tycoon Ransomware threat is specifically targeting certain computers using its Java-based platform.

Researchers observing the Tycoon ransomware noticed it was targeting small to medium-sized businesses, predominantly companies in the software industry and educational institutes. That is likely because these businesses may not be as careful regarding their security. Tycoon compromises RDP ports, meaning organizations need to ensure only the necessary ports are facing the global internet. Backing up company data is essential to ensure a complete loss never happens.