Linux and Windows systems targeted by new Tycoon ransomware

(Image credit: Shutterstock)
Audio player loading…

A new ransomware strain is targeting Linux and Windows systems across a number of industries, security experts have warned.

The malware, given the name Tycoon by the researchers at BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services that discovered it, is operating what appear to be highly targeted attacks at SMBs in the software and education industries.

The ransomware is even more dangerous as it does not just affect one family of devices, but both Windows and Linux, which are widely used across the targeted industries.

Tycoon ransomware

The team observed that Tycoon appears to be manually deployed, with the operators targeting individual systems and connecting an RDP server. Once a target had been identified and infiltrated using local administrator credentials, the attacker disabled an antivirus and installed a ProcessHacker hacker-as-a-service utility. 

The ransomware takes the form of a a trojanized Java Runtime Environment (JRE) which escapes detection by piggy-backing on an obscure Java image format. The settings for image file execution options (IFEO) are stored in the Windows registry, ostensibly to give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.

Once the ransomware is executed on a system, the malware would proceed to encrypt file servers and demand a ransom from the victims. BlackBerry noted that the malicious JRE build used contained both Windows and Linux versions, suggesting the criminals wanted to target multiple systems and servers.

"Malware writers are constantly seeking new ways of flying under the radar," BlackBerry wrote in a blog post (opens in new tab) explaining the findings. "They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build."

"Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments."

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.