Tycoon is a new ransomware program.
It is not very well known because its operation remains very unusual in the face of other ransomware. It has been identified during some cyberattacks too precise and quite effective, beyond all this, it goes unnoticed.
This article will also interest you: Ragnar Locker, the ransomware disguised as a kind of virtual machine
The name of the Tycoon program references its code. Experts say the ransomware has been active since December 2019. It is usually used against Windows and Linux systems. Since its discovery, it has been noticed that it is used only in the context of targeted attack companions. What is in the picture to its publishers as being very selective hackers.
Its deployment is quite special. So that it can remain hidden on the contaminated network for as long as possible. The sectors most targeted by hackers who use Tycoon are education and software. It is known for exploiting Java.
His discovery was a result of a collaboration between BlackBerry security researchers and KPMG specialists. Since it was coded in Java, its shape is quite special, its unusual shape allows its editors to deploy like a simple Trojan horse, in a Java execution system. it has been able to compile it into an image, which facilitates its concealment. "These two methods are unique. Java is very rarely used to write malware on terminals because it requires the Java running environment to be able to run the code. Image files are rarely used for malware attacks.Attackers turn to unusual programming languages and obscure data formats. Here, the attackers didn't have to hide their code in order to achieve their goals," said Eric Milam, BlackBerry's vice president of research and intelligence.
As for the attack itself, the first stage is nothing exceptional. Indeed, it is introduced into the system, thanks to a flaw the RDP control servers are sufficiently secure. Well this intrusion method is quite common during companions involving malware. The most vulnerable servers are those whose passwords are low or where already compromised in a previous attack.In addition: "Once inside the network, attackers use IFEO (Image File Execution Options) injection settings, which most often allow developers to debug software to stay in place. explains Eric Milam. Subsequently, hackers will be able to use certain administrator privileges to get rid of anti-malware solutions, with the help of ProcessHacker, to increase their chance of success. After being executed, the ransomware proceeds to encrypt the network and files in order of specific extensions, such as ".redrum, .grinch and .thanos" and in accordance with the conventional modus operandi of the ransomware attackers, the hackers will demand payment of the ransom to free the network. Payment is required in bitcoin. The amount required varies depending on the victim and his or her readiness to contact cyber criminals.
According to Blackberry researchers, it is highly likely that "Tycoon could potentially be linked to another form of ransomware, Dharma – also known as Crysis – because of similarities in email addresses, encrypted file names and the text of the ransom demand. ». And since the companions based on this program are still ongoing, it would seem, according to the probability, that cybercriminals are successful.
The good news is that it can be stopped remotely. But as a precaution, it is recommended to always update your equipment, and to avoid anything that is likely to expose one of the terminals connected to the company's network. Blackberry Experts recommend: "As DPPs are a widespread factor in network compromise, organizations can ensure that only ports that require an internet connection are connected to it. ». For this purpose, companies must ensure that the accounts used to access its ports do not work with default identifiers or passwords weak enough to be guessed by a hacker.
Now access an unlimited number of passwords: