A recently discovered multi-platform Java ransomware uses a Java image file (JIMAGE) to evade detection, BlackBerry security researchers report.
Dubbed Tycoon, the ransomware appears to be used only in highly targeted attacks, given the low number of victims and the delivery mechanism employed.
The ransomware’s operators targeted small to medium-sized companies and institutions in the education and software industries, the researchers say. In one instance, they first compromised an Internet-facing remote desktop protocol jump-server and used it for further compromise.
The investigation into the incident revealed that the attackers used Image File Execution Options (IFEO) injection for persistence, that they executed a backdoor alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system, that they proceeded to disable the anti-malware solution, and that most of their files were timestamped.
After establishing a foothold onto the environment, the attackers executed the Java ransomware module, which encrypted all file servers connected to the network, including backup systems.
The ransomware is deployed as a ZIP archive containing a trojanized Java Runtime Environment (JRE) build and is compiled into a Java image file (JIMAGE). This file format is used to store custom JRE images and is used by the Java Virtual Machine (JVM) at runtime.
First introduced in Java version 9, the file format is sparsely documented and is rarely used by developers, BlackBerry explains.
The security researchers also discovered that the malware was designed to target both Windows and Linux systems.
The ransomware’s configuration includes the attacker’s email address, the RSA public key, the content of the ransom note, an exclusions list, and a list of shell commands to be executed. When executed, the malware runs a set of shell commands specified in the configuration file.
Tycoon deletes original files after encryption and also overwrites them to prevent recovery. The embedded Windows utility cipher.exe is exploited for this task. During encryption, the malware skips parts of larger files to speed up the process, which results in those files being damaged and unusable.
Each file is encrypted using a different AES key. The ransomware uses asymmetric RSA algorithm to encrypt the securely generated AES keys used in encryption, meaning that decryption requires the attacker’s private RSA key.
“However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files,” the researchers explain.
The same does not work for the more recent version of the ransomware, which appends the .grinch and .thanos extensions to the encrypted files.
“Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments,” BlackBerry notes.
The security researchers also identified a possible connection with the Dharma/CrySIS ransomware, based on overlaps in email addresses, the text of the ransom note, and the naming convention used for encrypted files.
“This ransomware attack is the second one in the past month using the Java Runtime Engine (JRE) to execute the attack. While initial information shows a very targeted attack, it illustrates the notion that criminal groups are seeking new ways to avoid detection once inside an organization. Disabling the anti- malware on systems reduces the chance of being discovered by monitoring system administrators before launching the JRE to encrypt the file systems,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.