The ransomware is aimed at SMEs, educational institutions and software companies and uses Java to encrypt server-based files, according to BlackBerry and KPMG.
Cyber criminals are always looking for new tricks and techniques to attack potential victims without getting caught. This is especially true for ransomware attackers who have to secretly intrude into a company’s network to encrypt the confidential files they want to take hostage. A new ransomware campaign called Tycoon uses Java to hit Windows and Linux servers. A report released on Thursday by the BlackBerry Research and Intelligence Team and KPMG’s UK Cyber Response Services explains how this attack is impacting.
Tycoon is a cross-platform Java ransomware that aims to encrypt files on Windows and Linux servers. To avoid exposure, Tycoon uses an obscure Java image format called JIMAGE, which stores JRE (Java Runtime Environment) images that are used by the Java Virtual Machine (JVM) at runtime.
In particular, the Tycoon ransomware is delivered as a ZIP archive with a trojanized JRE build. Although previous ransomware samples were written in Java, this is the first BlackBerry and KPMG to use the Java JIMAGE format to develop a custom and malicious JRE build.
SEE: Ransomware: What IT Professionals Need to Know (Free PDF) (TechRepublic)
This ransomware is aimed at small and medium-sized companies, educational institutions and software companies. The initial infection occurs via an RDP (Remote Desktop Protocol) connected to the Internet.This is a system with which other devices are managed via their own security zone. After attacking the domain controller and file servers, the criminal locks system administrators from their computers.
The report uses a diagram to describe each phase of the attack:
The attacker connects to the systems via an RDP server in the network. The attacker finds an interesting target and receives the credentials for the local administrator. The attacker installs a “hacker as a server” process and then disables local antivirus security. The attacker drops a back door on the compromised system and then leaves the network. The attacker connects to an RDP server and uses it to move laterally across the network. The attacker manually initiates RDP connections to each server. The attacker executes the hacker process and deactivates the security protection. The attacker executes a batch file to start the ransomware. The attacker does the same for every target server on the network.
Image: BlackBerry and KPMG
The compromised files are encrypted using an AES-256 algorithm in Galois / Counter mode (GCM) with a 16-byte GCM authentication tag to ensure data integrity. By not encrypting certain parts of larger files, the attackers can speed up the process and still make the files unusable. The files are encrypted using an asymmetrical RSA algorithm. Therefore, decryption requires the attacker’s 1024-bit RSA private key, a process that would require enormous computing power.
In the BleepingComputer forum, one of the victims of the ransomware published a private RSA key, which allegedly came from a decryptor bought by the attackers. This key was used to decrypt files that were affected by an early version of Tycoon ransomware that added the .redrum extension to the encrypted files. However, the key does not work for the latest “happyny3.1” version of Tycoon, which adds .grinch and .thanos extensions to the encrypted files.
Although Tycoon has been sighted in the wild for about six months, the number of victims appears to be limited. As a result, the campaign may be targeted only at certain organizations or be part of a larger attack with different types of ransomware.
To protect against ransomware, companies need to protect themselves from an attack and protect their data. However, this process requires more than the usual security methods.
“As the ransomware threat grows, patch efficiency, antivirus software, and simple endpoint management are no longer sufficient,” said Eric Milam, vice president of threat intelligence for BlackBerry. “Security teams need to choose (solutions) that use signature-based patterns, behavioral analysis, and machine learning, as well as a strong research and development team. As a proactive / cyber sanitation approach, ensure that all backups are stored off-site, either physically or in the Cloud solutions that can add an additional layer of security to identify and prevent encryption. ”
However, if there is a ransomware attack, there are ways that companies can jump back more effectively and quickly.
“Solutions that allow administrators to freeze accounts once a ransomware infection is detected are on the rise,” said Milam. “On a per-user and per-infected basis, the account can be reset up to a point before the infection occurs. This way, no data is lost and no ransom is paid. The infection is simply deleted if it never happened. Ransomware or not, robust data protection practices like this will stand the test of time. ”
Even if your data is encrypted with ransomware, you have certain options.
“There are many publicly available free decryptors that work with some of the ransomware families,” said Milam. “In some cases it may also be possible to partially restore the files using file recovery software. If you have no backups or data recovery options (publicly available decryptors / data recovery tools), bring them with experts who are used to, to deal with these situations. They don’t want insulting the injury to pay the ransom and still not get the data. ”
Should an organization ever consider paying the ransom?
“Basically, the security community does not recommend paying cyber criminals just because it justifies and drives the ransomware business,” said Milam. “However, we understand that some of the most targeted and damaging attacks (such as critical infrastructure or healthcare providers) may not have a way to restore and preserve human life other than to meet ransom demands. Cases and circumstances vary dramatically from individual to individual “There is no golden rule. In any scenario, however, victims should work closely with law enforcement and do everything they can to assist with the investigation.”