In partnership with KPMG’s UK Cyber Response Services team, BlackBerry report it has unearthed a new ransomware strain written in Java. The ransomware was deployed in a targeted attack against an organisation, where the system administrators had been locked out of their systems following an attack on their domain controller and file servers. After conducting forensic investigations of the infected systems, it became apparent that the initial intrusion occurred via an Internet-facing RDP jump-server.
Dubbed Tycoon, this multi-platform Java ransomware has been observed in the wild since at least December 2019. It comes in the form of a trojanised Java Runtime Environment (JRE) build, and uses an obscure, uncommon JAVA image format (JIMAGE) to fly under the radar.
The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom.
You can read more here: Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors