Tycoon ransomware hits Windows and Linux with obscure methods
According to a report by ZDNet, ransomware entitled “Tycoon” is targeting Windows and Linux systems. The ransomware first emerged in December 2019 and prioritizes very specific targets, versus the traditional “shotgun” approach of infecting as many systems as possible. So far, Tycoon has targeted networks in the education and software sectors.
Blackberry researchers and KPMG security analysts discovered a few quirks about this ransomware further separating it from other payloads. They found it’s more difficult to detect on infected systems, and unusual because it was written with Java. The researches found the payload is delivered through a Java Runtime Environment found in Java image files (jpeg). In other words, images contain the malicious payload, versus executables, which is an unusual trait for malware.
Hidden in jpeg files it’s much harder to detect. Victims are likelier to trust an image since images aren’t usually associated with malware attacks.
How the attack happens
Tycoon needs Java to deploy its malicious payload, but before doing so relies on a common infection tactic by exploiting unsecured remote desktop protocol servers.
If the attackers gain compromised credentials, they escalate their attacks. Researchers found this appears in two ways: attackers use image file execution options and also utilize system privileges to disable anti-virus software/protections. IEFO normally sees use for debugging reasons, but in this case, to malicious inject the ransomware.
Researchers discovered shell scripts for both Linux and Windows, though currently only the latter has been targeted.
After the infection
Once inside the targeted system, the Tycoon ransomware encrypts targeted files. Targeted files to encrypt vary based on the network and system. However, the end result is the same: malicious third parties demand payment for the return of the files, paid with bitcoin.
Protecting against the ransomware attack
Though the Tycoon ransomware uses obfuscation techniques to remain hidden, plenty of methods to defend against it exist. Many of these said methods are easy to deploy across networks and devices.
Primarily, Bytagig recommends the following:
- Establish a zero-trust philosophy for yourself and staff, whereby messages are not opened until verified by trusted sources
- Keep all anti-malware programs updated on all relevant devices
- Update Windows/Linux to their latest security patches/versions to remove any potential late-term vulnerabilities
- Segregate networks (if not already) into various secure zones to protect information and mitigate damage in the event of an intrusion
- Have robust backups of all data, inaccessible by malicious third-parties in case of compromised information
- Educate self and workforce on identifying phishing scams and ransomware techniques while maintaining a strong cybersecurity philosophy
- Engage in network monitoring and check for suspicious activity
- Report all fraudulent messages/emails
If you need additional assistance or wish to inquire about backup options, you can contact Bytagig today for more information.