The Tycoon ranongware has been circulating in ZIP archives containing a malicious Java Runtime Environment (JRE) targeting in particular SMEs and medium-sized businesses since the end of 2019. Windows systems as much as Linux can be compromised.
Some malware is discovered quickly after deployment, while others take a little longer to identify. This is the case for the Tycoon ransomware, which has been raging since December 2019 but which was discovered more recently, in April 2020, by security researchers at Blackberry’s Threat Intelligence entity with KPMG. The particularity of this ransomware is that it is multiplatform, targeting both Windows and Linux systems. Taking the form of a ZIP file containing a compromised Java runtime environment (JRE), it spreads mainly to small and medium-sized businesses as well as those of intermediate size.
If it has existed for 6 months, but was only discovered a few weeks ago, it is mainly because it is far from being a broad spectrum ransomware (like Wannacry for example) but targeting otherwise with almost surgical precision its victims, whose number to date is reduced. “The overlap of some email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggest a connection between Tycoon and the Dharma / CrySIS ransomware,” warned security researchers. Blackberry in a ticket. “The ransomware was deployed in a targeted attack on an organization, where system administrators were kicked out of their systems following an attack on their domain controller and their file servers.” The initial intrusion by the cyber hackers was carried out via an RDP server open on the Internet.
Almost impossible decryption
Once in the place, the hackers then carried out an IFEO (image file execution options) injection to back up a backdoor to the Windows on-screen keyboard (OSK) function, change the Active Directory passwords to prevent access to the servers. infected, disable the anti-malware with ProcessHacker. “After having prepared everything for the final phase, the attackers encrypted all file servers and network backups by deploying the Java ransomware module,” say the researchers. The ransomware uses the Java JIMAGE format to create custom malicious JRE builds executed using a shell script. Since this malicious JRE build contains both a Windows batch file and a Linux shell, the researchers believed that the malicious operators behind Tycoon can use ransomware to encrypt Linux servers.
Tycoon encrypted files use a 256-bit GCM mode3 algorithm with 16-byte authentication. “Due to the use of an asymmetric RSA algorithm to encrypt securely generated AES keys, decrypting files requires obtaining the attacker’s private RSA key. Factoring a 1024-bit RSA key, although theoretically possible, has not yet been carried out and would require extraordinary computing power, ”warned the researchers. “Although there has been some success in decrypting Tycoon encrypted files with the .redrum extension using a private RSA key obtained from a decryptor purchased by one of the victims, the decryption of files locked by newer versions of Tycoon that use the. grinch and .thanos extensions are not yet possible. “