Cybercriminals are always looking for new tricks and techniques to target potential victims without being caught. That’s especially true of ransomware attackers who need to stealthily invade an organization’s network to encrypt the sensitive files they plan to hold hostage. A new ransomware campaign known as Tycoon is using Java to hit Windows and Linux servers. A report released Thursday by the BlackBerry Research and Intelligence Team and KPMG’s UK Cyber Response Services explains how this attack plays out.
Seen in the wild since at least December 2019, Tycoon is a multiplatform Java ransomware aimed at encrypting files on Windows and Linux servers. To try to evade exposure, Tycoon uses an obscure Java image format known as JIMAGE, which stores Java Runtime Environment (JRE) images used by the Java Virtual Machine (JVM) at runtime.
Specifically, the Tycoon ransomware arrives as a ZIP archive containing a Trojanized JRE build. Though previous ransomware samples have been written in Java, this is the first one seen by BlackBerry and KPMG that abuses the Java JIMAGE format to devise a customized and malicious JRE build.
This ransomware targets small and midsized companies, educational institutions, and software companies. The initial infection occurs through an internet-facing RDP (Remote Desktop Protocol) jump server , which is a system used to manage other devices via its own secure zone. After attacking the domain controller and file servers, the criminal locks system administrators out of their machines.
Using a diagram, the report describes each phase of the attack:
- The attacker connects to the systems using an RDP server on the network.
- The attacker finds an interesting target and obtains the credentials for the local administrator.
- The attacker installs a “hacker as a server” process and then disable the local antivirus security.
- The attacker drops a backdoor onto the compromised system and then leaves the network.
- The attacker connects to an RDP server and uses it to move laterally across the network.
- The attacker manually initiates RDP connections to each server.
- The attacker runs the hacker process and disables the security protection.
- The attacker runs a batch file to launch the ransomware.
- The attacker follows the same steps for each targeted server on the network.
The compromised files are encrypted using an AES-256 algorithm in Galois/Counter (GCM) mode with a 16-byte long GCM authentication tag to ensure data integrity. By not encrypting certain parts of larger files, the attackers are able to speed up the process while still making the files unusable. The files are encrypted using an asymmetric RSA algorithm. As such, decrypting them requires the attacker’s private 1024-bit RSA key, a process that would demand a massive amount of computational power.
On the BleepingComputer forum, one of the ransomware’s victims posted a private RSA key that ostensibly came from a decryptor purchased from the attackers. This key was able to decrypt files impacted by an early version of the Tycoon ransomware that added the .redrum extension to the encrypted files. However, the key doesn’t work for the most recent “happyny3.1” version of Tycoon, which adds the .grinch and .thanos extensions to the encrypted files.
Though Tycoon has been spotted in the wild for around six months, the number of victims appears to be limited. As such, the campaign might be heavily targeted only to specific organizations or it could be part of a larger attack using different types of ransomware.
To protect themselves from ransomware, organizations must safeguard themselves and secure their data before an attack occurs. However, that process demands more than the usual security methods.
“With the threat of ransomware increasing constantly, patch efficiency, antivirus software, and simple endpoint administration are no longer enough,” BlackBerry’s VP of threat intelligence, Eric Milam, said. “Security teams must choose [solutions] that use signature-based patterns, behavioral analytics and machine learning, as well as a strong R&D team behind it. As a proactive/cyber hygiene approach, ensure all backups are stored offsite, either physical or cloud solutions, that may add an extra layer of security to identify and prevent encryption.”
But if a ransomware attack occurs, there are ways that organizations can more effectively and quickly bounce back.
“Solutions that allow administrators to freeze accounts once a ransomware infection is detected are up-and-coming,” Milam said. “On a per-user basis and per-infected file basis, the account can be rolled back to a point just before the infection happened. That way, no data is lost and no ransom has to be paid. The infection is simply wiped as if it never happened. Ransomware or not, robust data protection practices like these will stand the test of time.”
Even if your data is encrypted by ransomware, you do have certain options.
“There are many publicly available, free of charge, decryptors that work with some of the ransomware families,” Milam said. “In some cases, it could also be possible to partially recover the files using file recovery software. If you don’t have any backups or ways to restore the data (publicly available decryptors/data recovery tools), above all else, bring in experts who are used to dealing with these situations. You don’t want insult to injury to pay the ransom and still not get the data.”
Finally, should an organization ever consider paying the ransom?
“As a matter of principle, the security community doesn’t recommend paying cybercriminals, simply because doing so justifies and propels the ransomware business,” Milam said. “However, we do understand that in some of the highly targeted and most damaging attacks (for example on critical infrastructure or healthcare providers), there might be no other way to recover and preserve human life but to meet the ransom demands. Since the individual cases and circumstances vary dramatically, there is no golden rule. In any scenario, though, the victims should work closely with law enforcement and do everything possible to help with the investigation.”