Linux and Windows systems targeted by new Tycoon ransomware
Ransomware attacks Windows and Linux systems
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A new ransomware strain is targetingLinuxand Windows systems across a number of industries, security experts have warned.
The malware, given the name Tycoon by the researchers at BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services that discovered it, is operating what appear to be highly targeted attacks at SMBs in the software and education industries.
The ransomware is even more dangerous as it does not just affect one family of devices, but both Windows and Linux, which are widely used across the targeted industries.
Tycoon ransomware
The team observed that Tycoon appears to be manually deployed, with the operators targeting individual systems and connecting an RDP server. Once a target had been identified and infiltrated using local administrator credentials, the attacker disabled an antivirus and installed a ProcessHacker hacker-as-a-service utility.
The ransomware takes the form of a a trojanized Java Runtime Environment (JRE) which escapes detection by piggy-backing on an obscure Java image format. The settings for image file execution options (IFEO) are stored in the Windows registry, ostensibly to give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.
Once the ransomware is executed on a system, the malware would proceed to encrypt file servers and demand a ransom from the victims. BlackBerry noted that the malicious JRE build used contained both Windows and Linux versions, suggesting the criminals wanted to target multiple systems and servers.
“Malware writers are constantly seeking new ways of flying under the radar,” BlackBerry wrote ina blog postexplaining the findings. “They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments.”
Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK’s leading national newspapers and fellow Future title ITProPortal, and when he’s not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action cam
