Skip to main content

Linux and Windows systems targeted by new Tycoon ransomware

(Image credit: Shutterstock)

A new ransomware strain is targeting Linux and Windows systems across a number of industries, security experts have warned.

The malware, given the name Tycoon by the researchers at BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services that discovered it, is operating what appear to be highly targeted attacks at SMBs in the software and education industries.

The ransomware is even more dangerous as it does not just affect one family of devices, but both Windows and Linux, which are widely used across the targeted industries.

Tycoon ransomware

The team observed that Tycoon appears to be manually deployed, with the operators targeting individual systems and connecting an RDP server. Once a target had been identified and infiltrated using local administrator credentials, the attacker disabled an antivirus and installed a ProcessHacker hacker-as-a-service utility. 

The ransomware takes the form of a a trojanized Java Runtime Environment (JRE) which escapes detection by piggy-backing on an obscure Java image format. The settings for image file execution options (IFEO) are stored in the Windows registry, ostensibly to give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.

Once the ransomware is executed on a system, the malware would proceed to encrypt file servers and demand a ransom from the victims. BlackBerry noted that the malicious JRE build used contained both Windows and Linux versions, suggesting the criminals wanted to target multiple systems and servers.

"Malware writers are constantly seeking new ways of flying under the radar," BlackBerry wrote in a blog post explaining the findings. "They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build."

"Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments."