Security Experts:

Connect with us

Hi, what are you looking for?



Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.

Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.

The ransomware’s operators targeted small to medium-sized companies and institutions in the education and software industries, the researchers say. In one instance, they first compromised an Internet-facing remote desktop protocol jump-server and used it for further compromise.

The investigation into the incident revealed that the attackers used Image File Execution Options (IFEO) injection for persistence, that they executed a backdoor alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system, that they proceeded to disable the anti-malware solution, and that most of their files were timestamped.

After establishing a foothold onto the environment, the attackers executed the Java ransomware module, which encrypted all file servers connected to the network, including backup systems.

The ransomware is deployed as a ZIP archive containing a trojanized Java Runtime Environment (JRE) build and is compiled into a Java image file (JIMAGE). This file format is used to store custom JRE images and is used by the Java Virtual Machine (JVM) at runtime.

First introduced in Java version 9, the file format is sparsely documented and is rarely used by developers, BlackBerry explains.

The security researchers also discovered that the malware was designed to target both Windows and Linux systems.

The ransomware’s configuration includes the attacker’s email address, the RSA public key, the content of the ransom note, an exclusions list, and a list of shell commands to be executed. When executed, the malware runs a set of shell commands specified in the configuration file.

Tycoon deletes original files after encryption and also overwrites them to prevent recovery. The embedded Windows utility cipher.exe is exploited for this task. During encryption, the malware skips parts of larger files to speed up the process, which results in those files being damaged and unusable.

Each file is encrypted using a different AES key. The ransomware uses asymmetric RSA algorithm to encrypt the securely generated AES keys used in encryption, meaning that decryption requires the attacker’s private RSA key.

“However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files,” the researchers explain.

The same does not work for the more recent version of the ransomware, which appends the .grinch and .thanos extensions to the encrypted files.

“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments,” BlackBerry notes.

The security researchers also identified a possible connection with the Dharma/CrySIS ransomware, based on overlaps in email addresses, the text of the ransom note, and the naming convention used for encrypted files.

“This ransomware attack is the second one in the past month using the Java Runtime Engine (JRE) to execute the attack. While initial information shows a very targeted attack, it illustrates the notion that criminal groups are seeking new ways to avoid detection once inside an organization. Disabling the anti- malware on systems reduces the chance of being discovered by monitoring system administrators before launching the JRE to encrypt the file systems,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

Related: Ransomware Forces Shutdown of Texas Judiciary Network

Related: ATM Maker Diebold Nixdorf Hit by Ransomware

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.