As reported by ZDNet, “researchers detail the unusual workings of Tycoon ransomware – which appears to be designed to stay under the radar as much as possible. (zdnet.com, 2020) Heads up to the education and software industries! The report goes on to state: “A newly uncovered form of ransomware is going after Windows and Linux systems in what appears to be a targeted campaign. Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cyber criminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks. The main targets of Tycoon are organizations in the education and software industries.” (zdnet.com, 2020)
So what makes this ransomware so unique? “Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It’s an unusual form of ransomware because it’s written in Java, deployed as a trojanized Java Runtime Environment, and is compiled in a Java image file (Jimage) to hide the malicious intentions.” (zdnet.com, 2020)
Still unaware of what makes these incidents more unique than not? Well, according to the VP for research and intelligence for Blackberry, Eric Milam, “these are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks.” (zdnet.com, 2020)
How it Could Affect You
According to the above-noted article, “Attackers are shifting towards uncommon programming languages and obscure data formats.” (zdnet.com, 2020)
“However, the first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing RDP servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using Process Hacker in order to stop removal of their attack.” (zdnet.com, 2020)
Hodgson Can Help
Don’t let hackers and cyber criminals advance their attacks, while you still operate under old and outdated securities! Here at Hodgson Consulting & Solutions, we specialize in securing data and information loss prevention for companies with multiple locations and/or a remote workforce. We offer full solutions for your IT needs, not just Band-Aid fixes. Contact us to receive a FREE Cyber Security Risk Assessment and also learn more about our Managed Security Service Plans. Contact our office today at 847-906-5005.