The ransomware named Tycoon has once again emerged from the wild. And It is a new java based ransomware which has come out of nowhere. It targets multiple platforms which are Windows and Linux systems. And the cyber criminals are again at large with this new ransomware. From the findings it looks that the new tycoon java ransomware targets only small and medium scale organizations.
The ransomware has been around since December 2019. But Last Thursday the findings were made public by Blackberry. An unknown European institute was hit by this ransomware. And they reached out for the Blackberry security firm for help. After analyzing the ransomware they have published the findings publicly which you can read here.
The image below shows how the attackers initially gained access to the server. And encrypted all the files in the server.
What’s peculiar about Tycoon attack ?
A forensic analysis done on the victim’s machines revealed the peculiarity of the Tycoon Java based ransomware. Let us look into the summary of what makes it unusual ?
- The ransomware uses something known as I.F.E.O ( Image File Execution Options Injection ) to stay persistently in the system. The attacker stored the configurations into the windows registry.
- Attackers left a backdoor which executed alongside On-Screen Keyboard.
- The anti-malware solution were disabled using a tool named ProcessHacker utility. Attackers have then changed passwords for Active Directory servers which made the owners unable to access their own servers.
- All the files used by attackers had timestamps set to 11th April 2020, 15:16:22.
The execution of Tycoon ransomware
After exploiting the internet facing, R.D.P enabled server the ransomware was planted. And the attackers wrapped up the ransomware in an innocent looking Java Image ( JIMAGE ) File. As a result it became a Trojan image which would later encrypt all the files in the servers. The attackers then finally executed the attack. And the attack target included all the servers which includes the backup servers.
More on the JIMAGE file; It is tied to the specific version of Java Runtime Environment ( JRE ). Which is rarely used by the developers. But it is used by the targeted JRE as it contains all the resources and assets for execution.
How did the attackers execute the JIMAGE file ? Good question. The attackers used a script to invoke the main function in the image. And there was a script included for the windows system as well.
But the researchers also did find some configuration parameter’s options. In a filed named BuildConfig. The email address, ransom note, the exclusion list and the commands to be executed. It also included the RSA public key used for encrypting. But wait, there’s more to encrypting files. If you don’t know much about cryptography. Let me shed some light for you on this matter.
RSA is a public key encryption which cannot be used alone to encrypt large files. It can only encrypt data packets which are sent over via the Internet. As a result they used a symmetric encryption algorithm known AES. The encryption of any file is performed in chunks of certain bytes. So, the ransomware first encrypts a file using random unique key which is then again encrypted by the RSA public key.
Note that it is not possible to reverse a public key encryption without a private key.
The execution of the Tycoon ransomware included execution of the commands by the attacker. This resulted in the unreadable files in the servers. But there is more than what the attackers did. They also executed the overwrite for all the files from the storage. In other words what it means is that the attackers shredded all the files.
How do I get my files back?
The answer is you cannot. However, It might be possible if somehow someone finds the private key used for the encryption. But it is a really very difficult task and the key might vary depending on victim to victim.
The new java based Tycoon ransomware uses Java platform. A rare choice of programming language used for this type of task. But it is not ineffective for these types of task. Make sure to always secure and double check your security for any internet facing gateways.