Tycoon Ransomware

Tycoon Ransomware Description

The Tycoon Ransomware is a new file-encrypting Trojan that appears to have been used for the first time around December 2019. During the past few weeks, the activity of the Tycoon Ransomware has spiked, which has attracted the attention of malware experts. The Tycoon Ransomware targets small to medium-sized enterprises located all around the globe, mainly.

The Tycoon Ransomware is written in the JAVA programming language. An interesting fact about the Tycoon Ransomware is that it is not propagated via the traditional distribution methods used by authors of data-lockers – phishing emails, malvertising, torrent trackers, etc. Instead, the creators of the Tycoon Ransomware are launching it manually on the targeted systems that have been breached previously, which points to a multi-stage attack.


This Week in Malware Ep9: Java-Based Tycoon Ransomware Targets Windows & Linux PCs

The attackers have used poorly secured RDP (Remote Desktop Protocol) services to deliver the Tycoon Ransomware to the targeted computers. Before launching the Tycoon Ransomware, the attackers will execute several tasks, including:

  • Disabling anti-malware applications by using publicly available tools like the ProcessHacker utility.
  • Changing the login credentials of the Windows Active Directory service to prevent the administrators from accessing the compromised system.
  • Deploying a backdoor on the infected host.
  • Locating and marking all the file backups so that the threat would encrypt them.

Next, the Tycoon Ransomware would be deployed via a shell script. The infected hosts contained a Windows batch file alongside a Linux shell script. This means that the Tycoon Ransomware can affect both Windows and Linux systems, which is probably why the threat was written in the JAVA programming language, as it is compatible with both.

The files encrypted by the Tycoon Ransomware would contain either the '.tahnos' or '.grinch' extensions. The Tycoon Ransomware would drop a ransom note named 'decryption.txt' on the infected host. The creators of the Tycoon Ransomware demand to be paid a ransom fee in Bitcoin and state that the fee will be increased by 10% every day until the victim pays up. The attackers have provided an email address for contact – ‘ppp4ddd@protonmail.com.'

Sadly, the Tycoon Ransomware is not decryptable for free yet. However, it is not advisable to cooperate with and pay cybercriminals.