There’s a new Java ransomware family on the block

Written by

BlackBerry and KPMG’s UK Cyber Response Services uncovered a new ransomware strain that uses an obscure file format to avoid detection, according to new research published Thursday.

After researchers conducted forensic investigations at a European educational institution, they uncovered that attackers had gained access to the unnamed institution through an internet-connected remote desktop server, according to the Blackberry Research and Intelligence Team. The ransomware, which Blackberry has dubbed Tycoon, uses a little known Java image format to avoid detection and then encrypts file servers, locking administrators out unless they pay a ransom.

Tycoon is highly targeted and has affected only approximately a dozen victims, BlackBerry’s Vice President of GUARD Services and Director of GUARD Threat Hunting & Intelligence, Eric Milam and Claudiu Teodorescu, told CyberScoop. The ransomware has generally targeted small- and medium-sized education and software entities so far.

And although the new ransomware has only affected a limited number of victims, Tycoon is a reminder that even as hackers increasingly use ransomware to target larger entities that may have more financial resources to make good on ransom demands, the ransomware threat for small and medium sized businesses has not gone away.

Obfuscation

The malware, which appears to be capable of targeting both Windows and Linux, employs several techniques to avoid detection, such as working to disable organizations’ anti-malware solutions to conceal its activities.

But some of its obfuscation efforts are somewhat unusual. For instance, the malware is compiled into a Java image file (JIMAGE), which is rarely used by developers, according to BlackBerry. JIMAGE is normally used to store custom images and is used at runtime.

“This is the first sample we’ve encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build,” BlackBerry researchers write, noting that using Java ransomware itself is fairly unusual.

“Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats,” the researchers say.

Stealthiness aside, some victims of early Tycoon ransomware may be able to recover data without paying the ransom, since the hackers have employed a commonly used RSA private key in earlier deployments, according to BlackBerry.

Links to other ransomware

It is unclear who the ransomware’s operators are, but the malware has some similarities with Dharma or CrySIS ransomware, which has been in operation since 2016.

“The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware,” the researchers write.

In some previous infections, Dharma has not been decryptable, McAfee researchers say.

Dharma and Tycoon also both appear to be using the same kind of initial entry point, an Internet facing RDP jump-server, to then leverage weak credentials, Milam and Teodorescu told CyberScoop.

There is no confirmed connection between Dharma and Tycoon, the researchers note, but acknowledge that Tycoon could also be a part of broader ransomware campaigns, “depending on what is perceived more successful in specific environments,” the BlackBerry researchers write.