I. Targeted Industries
- Higher Education
- Software Sector
- Small and Midsize Businesses (SMBs)
The BlackBerry Research and Intelligence Team recently discovered a new ransomware strain called Tycoon. This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries. Malware such as this one is considered unusual because it’s deployed as a trojanized Java Runtime Environment and is compiled in a Java image file (Jimage) to conceal malicious intentions. Blackberry researchers, in partnership with security analysts at KPMG, suggest this malware may be part of a highly targeted campaign on account of the number of victims.
III. Background Information
Tycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server. Because of weak or compromised passwords, this is a common attack vector when exploiting servers for malware campaigns. Researchers at Blackberry and KPMG note that the techniques used by the attackers were unusual and noteworthy. The attackers maintain persistence by using Image File Execution Options (IFEO) settings (stored in the Windows registry) which provide debugging software. Once the target is infiltrated using local admin credentials, the attacker disables the anti-malware solution with help from a ProcessHacker hacker-as-a-service utility. The malware is deployed as a ZIP archive in the form of a Trojanized Java Runtime Environment (JRE) build and leverages an obscure Java image format to fly under the radar.
The java file format is used to store custom JRE images used by the Java Virtual Machine (JVM) at runtime. Blackberry researchers noted that malware writers are “slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats”. Tycoon’s configuration includes the RSA public key, a ransom note, a list of shell commands to be executed, and the attacker’s email address. The ransomware is released by executing shell script commands that run the main function of the malicious Java module using the java -m command. Tycoon deletes and overwrites the original files after encryption to prevent recovery. To decrypt the files, the attacker’s private RSA key is required. It is believed that Tycoon has ties to other ransomware using multiple different solutions, such as Dharma and AKA Crysis. This is due to similarities in the email address, name of encrypted files, and text of the ransom note.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements happen with this malware strain.
- Incorporate known IOCs into IDS
Incorporate known IOCs of the malware into your intrusion detection system to identify and act on any suspicious behavior related to the malware.
- Patch Updates
Update consistently and patch vulnerabilities.
- Scheduled Backups
Backup data regularly and store externally in a reliable location.
- Password Security
Implement password management processes.
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Arghire, Ionut. “Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion.” SecurityWeek, June 4, 2020. https://www.securityweek.com/multi-platform-tycoon-ransomware-uses-rare-java-image-format-evasion.
(2) Moore, Mike. “Linux and Windows Systems Targeted by New Tycoon Ransomware.” TechRadar. TechRadar pro, June 5, 2020. https://www.techradar.com/news/linux-and-windows-systems-targeted-by-new-tycoon-ransomware.
(3) Palmer, Danny. “This New Ransomware Is Targeting Windows and Linux PCs with a ‘Unique’ Attack.” ZDNet. ZDNet, June 4, 2020. https://www.zdnet.com/article/this-new-ransomware-is-targeting-windows-and-linux-pcs-with-a-unique-attack/.
(4) Seals, Tara, and Tara Seals. “Tycoon Ransomware Banks on Unusual Image File Tactic.” Threatpost English Global threatpostcom, June 4, 2020. https://threatpost.com/tycoon-ransomware-unusual-image-file-tactic/156326/.
(5) “Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors” Blogs.blackberry.com. June 4, 2020. https://blogs.blackberry.com/en/2020/06/threat-spotlight-tycoon-ransomware-targets-education-and-software-sectors