Tycoon, a new ransomware on Windows and Linux

Tycoon, a new ransomware on Windows and Linux Cybersecurity

A new form of ransomware, recently discovered, attacks Windows and Linux systems in a campaign that seems targeted.

Named Tycoon after the code references, this ransomware has been active since December 2019 and seems to be the work of very selective cybercriminals in their targeting. The malware also uses an unusual deployment technique that allows it to remain hidden on compromised networks.

Tycoon’s main targets are organizations in the education and software sectors.

A ransomware that exploits Java

Tycoon was discovered, then analyzed and described by BlackBerry researchers working with KPMG security analysts. Its form is unusual for ransomware because it is written in Java, deployed as a Trojan in a Java runtime environment and then compiled into a Java image file (Jimage) to hide malicious intent.

“These two methods are unique. Java is very rarely used to write malware on terminals because it requires the Java execution environment to be able to execute the code. Image files are rarely used for malware attacks, ”said Eric Milam, vice president of research and intelligence at BlackBerry, at ZDNet.

“Attackers are turning to unusual programming languages ​​and obscure data formats. Here, the attackers did not have to hide their code to succeed in achieving their objectives, ”he adds.

Course of the attack

However, the first stage of the attack by the Tycoon ransomware is less atypical: the initial intrusion is done via unsecured RDP servers. It is a common attack vector for malware campaigns, which typically exploits servers with weak passwords or which have already been compromised.

Once inside the network, attackers use the IFEO (Image File Execution Options) injection parameters, which most often allow developers to debug software, to keep themselves in place. They also use privileges to disable anti-malware software, using ProcessHacker, to prevent their attack from being prevented.

After execution, the ransomware encrypts the network and the files by Tycoon-specific extensions, notably .redrum, .grinch and .thanos, and the attackers demand a ransom in exchange for the decryption key. Payment must be made in bitcoin and the price depends on the speed with which the victim makes contact by e-mail.

Tycoon could be from the Dharma family

The fact that the campaign is still underway suggests that its perpetrators were successful in extorting payments from victims.

Researchers suggest Tycoon could potentially be linked to another form of ransomware, Dharma – also known as Crysis – due to the similarities in email addresses, encrypted file names and ransom note text. .

But although Tycoon has unique ways to run an infection, like other forms of ransom, it can be prevented from going that far.

How to avoid this type of attack?

Since RPD is a common factor in network compromise, organizations can ensure that only ports that require an internet connection are connected to it.

They must also ensure that accounts that have access to these ports do not use default credentials or with weak or easily guessed passwords, as this is another way to break into the network. .

Installing security patches as soon as they are available is also a good way to prevent attacks, especially by ransomware, as it prevents criminals from exploiting known vulnerabilities. You also need to make sure to regularly back up your network – and the reliability of this backup. So if the worst happens, the network can be restored relatively quickly, without having to give in to the demands of cybercriminals.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article
Add comment