Security Experts:

Connect with us

Hi, what are you looking for?



Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

The ransomware’s operators targeted small to medium-sized companies and institutions in the education and software industries, the researchers say. In one instance, they first compromised an Internet-facing remote desktop protocol jump-server and used it for further compromise.

The investigation into the incident revealed that the attackers used Image File Execution Options (IFEO) injection for persistence, that they executed a backdoor alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system, that they proceeded to disable the anti-malware solution, and that most of their files were timestamped.

After establishing a foothold onto the environment, the attackers executed the Java ransomware module, which encrypted all file servers connected to the network, including backup systems.

The ransomware is deployed as a ZIP archive containing a trojanized Java Runtime Environment (JRE) build and is compiled into a Java image file (JIMAGE). This file format is used to store custom JRE images and is used by the Java Virtual Machine (JVM) at runtime.

First introduced in Java version 9, the file format is sparsely documented and is rarely used by developers, BlackBerry explains.

The security researchers also discovered that the malware was designed to target both Windows and Linux systems.

The ransomware’s configuration includes the attacker’s email address, the RSA public key, the content of the ransom note, an exclusions list, and a list of shell commands to be executed. When executed, the malware runs a set of shell commands specified in the configuration file.

Tycoon deletes original files after encryption and also overwrites them to prevent recovery. The embedded Windows utility cipher.exe is exploited for this task. During encryption, the malware skips parts of larger files to speed up the process, which results in those files being damaged and unusable.

Each file is encrypted using a different AES key. The ransomware uses asymmetric RSA algorithm to encrypt the securely generated AES keys used in encryption, meaning that decryption requires the attacker’s private RSA key.

“However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files,” the researchers explain.

The same does not work for the more recent version of the ransomware, which appends the .grinch and .thanos extensions to the encrypted files.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments,” BlackBerry notes.

The security researchers also identified a possible connection with the Dharma/CrySIS ransomware, based on overlaps in email addresses, the text of the ransom note, and the naming convention used for encrypted files.

“This ransomware attack is the second one in the past month using the Java Runtime Engine (JRE) to execute the attack. While initial information shows a very targeted attack, it illustrates the notion that criminal groups are seeking new ways to avoid detection once inside an organization. Disabling the anti- malware on systems reduces the chance of being discovered by monitoring system administrators before launching the JRE to encrypt the file systems,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

Related: Ransomware Forces Shutdown of Texas Judiciary Network

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.