Researchers at Blackberry Threat intelligence and KPMG have identified a new Java-based ransomware dubbed Tycoon that is being used in highly targeted attacks on educational institutions and small- to medium sized companies. The ransomware is manually deployed after the attackers gain access to their target’s networks, most commonly by attacking vulnerable internet-exposed RDP servers.
The ransomware has been in use for at least 6 months, but the attacks have been conducted in relatively low numbers so far, which has allowed the attackers to stay under the radar. Most of the victims have been small- and medium-sized companies in the software industry and educational institutions.
The ransomware was identified after an educational institution contacted KPMG’s UK Cyber Response Services for assistance resolving a ransomware attack. The Blackberry Threat intelligence assisted with the investigation and analyzed the ransomware.
The attack started like many other manual ransomware attacks by targeting internet-facing RDP servers, using brute force tactics or stolen credentials to gain access. The attackers then locate and obtain administrator credentials. The attackers then use Image File Execution Options (IFEO) injection to execute a backdoor and disable antivirus software using ProcessHacker. After the initial compromise the attackers waited 7 days before logging in through RDP. They then moved laterally and manually made RDP connections to several other systems and disabled antivirus software. The ransomware payload was then executed, which encrypted file servers and backup systems.
The ransomware is being used to attack Windows and Linux systems and uses several different file extensions, including .thanos, .grinch, and .redrum. The ransomware uses an unusual technique to hide on networks compromised by the attackers. First, the ransomware is written in Java which is unusual for ransomware. The ransomware is downloaded onto the target’s system in a zip file as a Trojanized Java Runtime Environment build that is hidden in a Java image file (Jimage), which is also unusual.
The researchers explained that Jimage is most commonly used internally by Java, but not by developers and the file format is also rarely used in malware. “This is a nice way to be stealthy because nobody will look into JIMAGE and think something is off,” said the researchers.
Tycoon ransomware has been linked to Dharma/CrySIS ransomware, as it uses the same email addresses and ransom note text. The naming convention for encrypted files is also similar.
The researchers say Tycoon ransomware is part of a new trend in which attackers are moving away from more conventional obfuscation techniques and instead are using obscure file formats and programming languages such as Java and Go.
While it may not be possible to decrypt files without paying the ransom, attacks such as this are possible to prevent. Since the initial compromise is achieved through RDP, risk can be reduced by disabling all internet-facing ports unless they are essential. All default passwords should be changed and complex passwords should be set. There is also a delay between the initial compromise and execution of the ransomware, so if networks are being monitored for signs of compromise there is a window of opportunity to identify an attack in progress before the ransomware payload is deployed.