Security experts have warned that a new strain of ransomware is targeting Linux and Windows systems in various industries. The malware, dubbed Tycoon by researchers from BlackBerry's Research and Intelligence Team in association with KPMG's UK Cyber Response Services, which discovered it, exploits what appear to be highly targeted attacks against SMEs in the software and software. education. Ransomware is even more dangerous because it affects not only a family of devices, but also Windows and Linux, which are widely used in specific industries.
Tycoon ransomware
The team noted that Tycoon appears to be deployed manually, with operators targeting individual systems and connecting to an RDP server. Once a target has been identified and infiltrated using local administrator credentials, the attacker has disabled the antivirus and installed a hacking utility such as a ProcessHacker service. The ransomware takes the form of a Java Runtime Environment (JRE) that escapes detection by piggybacking it into an obscure Java image format. Settings for Image File Execution Options (IFEO) are stored in the Windows registry, ostensibly to give developers the ability to debug their software by plugging in a debugging application when running a target application. . Once ransomware runs on a system, the malware would encrypt file servers and demand a ransom from victims. BlackBerry noted that the malicious version of the JRE used contained both Windows and Linux versions, suggesting that the criminals wanted to target multiple systems and servers. "Malware writers are constantly looking for new ways to stay under the radar," BlackBerry wrote in a blog post explaining the results. "They are slowly moving away from conventional obfuscation and turning to unusual programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages like Java and Go." first sample we found specifically abusing Java's JIMAGE format to create a malicious custom JRE build.” “Tycoon has been out for at least six months, but there appears to be a limited number of victims. This suggests that the malware can be highly selective. It may also be part of a larger campaign that uses several different ransomware solutions, depending on what is perceived to be most successful in specific environments."