A new ransomware is active in the wild that threatening the education and corporate sector. Dubbed Tycoon, this stealth ransomware targets Windows and Linux systems.
Tycoon Ransomware Threatening Windows
Researchers from the Blackberry security team, together with KPMG analysts have uncovered a new ransomware active in the wild. Identified and Tycoon ransomware, the malware targets Windows and Linux systems stealthily.
Detailing their findings in a blog post, researchers stated that this ransomware is quite unique from the usual ransomwares. What makes it distinct is its reliance on Java.
Specifically, it is based in Java, deploys as Trojanized Java Runtime Environment (JRE) and hides itself by adapting a Java image file (Jimage) format. This makes the ransomware highly stealthy.
After reaching the target systems and encrypting the files, it adds ‘.redrum’ extension in case of the older variant ‘redrum3_0’, or ‘.grinch’ and ‘.thanos’ extensions in case of ‘happyny3.1’.
Besides encryption, the ransomware also ensures no data recovery via other means as it overwrites deleted files.
Nonetheless, the encrypted data isn’t damaged as the ransomware uses AES-256 algorithm in Galois/Counter (GCM) mode. The encryption process goes in chunks, skipping parts of large files. This makes the overall data encryption speedy whilst rendering the files useless.
Presently, the researchers suspect a link between Tycoon and Dharma ransomware.
The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware.
Malware Aiming At Specific Targets
Researchers found the malware active in the wild since December 2019.
However, despite being around for months, the ransomware isn’t spreading like a wild fire. Rather, it seems very specific in selecting victims.
As observed, the Tycoon mainly targets small to medium sized businesses, firms in software industry, and educational institutes.
Hence, everyone, especially the small businesses and educational sector that consider themselves as less important should remain careful about their security. Since Tycoon compromises RDP, organizations should ensure that only the necessary ports face the internet. Not to forget about maintaining robust backups of their data.