There's a new form of ransomware that is attacking Windows and Linux PCs that have been recently discovered and is believed to be active since December 2019 by a group of cybercriminals who are extremely selective in their targets.
New Ransomware Detected and Detailed
In a report by ZDNet, the ransomware is named Tycoon after the references in the code and is highly unusual, using a different deployment technique, which helps it stay hidden on any compromised networks.
The Tycoon ransomware is discovered and detailed by BlackBerry researchers with the help of security analysts from KPMG.
They have also discovered that the people behind the new threat to cybersecurity are targeting people and companies in the software and education industries.
It's incredibly unusual as it was written in Java and is deployed as a trojanized Java Runtime Environment compiled in Jimage or a Java image file, which can hide its malicious intent.
"These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks," said Eric Milam, the vice president for research and intelligence at BlackBerry.
He also said that although the people behind the Tycoon ransomware did not have to obscure the code they used, they succeeded with their attacks nonetheless.
How Does Tycoon Ransomware Work?
So, how does the new ransomware work?
According to the news outlet, the first stage of the Tycoon ransomware is more common among cybersecurity threats and intrudes a network or device via insecure internet-facing RDP servers, which is common in malware attacks.
In addition, these threats often exploit previously compromised and weak passwords.
Once inside the networks, the cybercriminals would use privileges that will allow them to disable anti-malware software so it won't detect and stop their attack.
Furthermore, they would maintain their persistence by using the Image File Execution Option (IFEO) injection settings, which would allow the developer to debug any software.
"Ransomware can be implemented in high-level languages such as Java with no obfuscation and executed in unexpected ways," Milam also said.
After execution, Tycoon ransomware would then encrypt the network through extensions like .thanos, .redrum, and .grinch. Then, they will send an email to the user saying they have the decryption key but will have to pay for it.
The payment is made through bitcoin, which makes it harder to track down, and the price is often based on how long the victim replies.
Connected to Dharma?
According to the researchers at BlackBerry, the attacks are still happening, suggesting that cybercriminals are able to acquire payment from their victims.
Additionally, they have reason to believe that Tycoon ransomware is linked to another malware known as Dharma or Crysis, as there are similarities in email addresses and the ransom note's content as the names of the encrypted files.
Nevertheless, despite being an unusual form, it is still possible to prevent them from encrypting your network.
For one, use strong passwords, especially accounts that don't need access to ports facing outward to the internet, plus those that use these ports are those that absolutely require it.