Unique attack vector: Tycoon ransomware targets corporate networks

This ransomware hides its payload in a Java image file, preventing detection on Windows and Linux systems

Tycoon ransomware attacks

Tycoon ransomware attacks

Researchers at BlackBerry Threat Intelligence have spotted a new surge of Tycoon ransomware infections across software and education sections.[1] The malware is relatively new, as it was first spotted in the wild in December 2019, targeting small to medium organizations in software and education industries.

Tycoon ransomware is written in Java, which is relatively uncommon for this type of malware and is deployed with the help of Trojanized Java Runtime Environment (JRE) via weakly protected Remote Desktop connections. Malware is also designed to stay undetected for a period of time with the help of several evasion techniques.

Tycoon ransomware is human-operated malware, and, despite being distributed for more than six months, has only infected a few networks so far. Developers of malware are yet to be identified. However, BlackBerry security experts concluded that it has several ties to the Dharma ransomware family (among coincidences are email addresses, extension pattern used after the encryption, and the body text of a ransom note).

Attackers drop a backdoor and ProvcessHacker before initiating file encryption

A Remote Desktop connection that is open to the internet serves as a main entry point for the attackers. According to BlackBerry researchers who analyzed the malware, the attacked organization employees were locked out of their workstations:

The ransomware was deployed in a targeted attack against an organization, where the system administrators had been locked out of their systems following an attack on their domain controller and file servers. After conducting forensic investigations of the infected systems, it became apparent that the initial intrusion occurred via an Internet-facing RDP jump-server.

However, this is just the first stage of the attack. Malicious actors do not rush to deploy the payload of Tycoon ransomware. On the contrary, each step of the infection is carefully planned and executed precisely.

Once the attackers get into the vulnerable network via the RDP, they manage to gain access to a local machine by accessing the administrator’s credentials. After that, threat actors install ProcessHacker,[2] disable anti-malware software on the local system, and change passwords for Active Directory servers, locking employees out from their workstations.

Finally, hackers leave the database server after leaving a backdoor and the Microsoft Windows On-Screen Keyboard (OSK) feature behind. As soon as everything is prepared, malicious actors deploy Tycoon ransomware and repeat the process on each of the infected servers on the network. As a result, file servers, DB servers, and backup servers get encrypted, leaving very few possibilities for successful decryption.

Tycoon ransomware is compiled into a malicious ZIP archive, which contains Trojanized Java Runtime Environment build. Inside, a particular Java image file (JIMAGE) is used to execute malicious JRE build and is rarely used by developers. This rare technique ensures that malware remains under the radar for prolonged periods of time.

Early versions of Tycoon ransomware may be decrypted

It is clear that Tycoon ransomware operators are considering to expand their campaigns, as the malware’s shell scripts contain both Windows and Linux variants, although no attacks have been observed on the latter as of now.

Researchers have observed three different versions of Tycoon ransomware, each of which can be differentiated by file extensions that are appended to locked data – .redrum,[3] .grinch, and .thanos. Upon malware execution, shadow volume copies are deleted, preventing users from easily regaining access to their files.

Since malware uses a combination of AES-256[4] and RSA-1024 keys to lock data, achieving decryption is difficult, while not impossible:

Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker’s private RSA key. Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power.

Nonetheless, since one of the victims who paid for the decryption key shared with security researchers from Emsisoft, they managed to provide a free decryptor for all .redrum encrypted files.[5]