Researchers at BlackBerry which work with security analysts at KPMG have uncovered a new form of ransomware that called Tycoon which will be exploiting Windows and Linux system. This type of malware will take advantage of stay hidden on a compromised network via an uncommon deployment technique.

The malware is been written in Java and been executed as a trojan version of Java Runtime Environment in terms of hiding any malicious intentions that have compiled in a Jimage(Java Image file)

VP for Research and Intelligence at BlackBerry, Eric, Milam told ZDNet that

These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks

How Tycoon works?

An attacker will use a method to penetrate using an insecure RDP server of internet-facing which considered as a less uncommon method to use. Normally, an attacker will use malware campaigns and will exploit the server based on weak or recent compromised passwords for their common attacks.

Attackers will try to maintain persistence once they are inside the network by use injection methods such as Image File Execution Options. This type of injection method normally been used by developers to debugging the software. In order of stopping any interruption and removal of their attack’s progress, the attacker will try to disable anti-malware software via ProcessHacker.

An attacker will demand a ransom in exchange for the decryption key where the ransomware will encrypt all the network with files been encrypted by Tycoon Malware.

The Tycoon extensions will have file such as

  • .redrum,
  • .grinch
  • .thanos


To prevent this malware to be spread further or damage organization’s network, the responsibilities team in the organization should be able to ensure that all the account need to monitor and provide access privilege such as password creation. This will make harder for the attacker to guessed easily which they have intention of breaking in with a default credentials and weak password.

Another Workaround that organizations can take account is that they need to do a regular backup of their network so that when the worst scenario did happen, they can restore the network immediately

Source: This new ransomware is targeting Windows and Linux PCs with a ‘unique’ attack

By Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *