New Tycoon ransomware leverages JIMAGE files, steals PII, encrypts Linux and Windows systems

A new strain of ransomware dubbed Tycoon seeks to take advantage of Java Image (JIMAGE) files that are internal to Java and would typically not raise any red flags for administrators and security managers.

The discovery was brought to light by the BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services,

which released a detailed report today outlining the new ransomware strain.

“JIMAGE files are as normal as DLLs are in the Windows world, they appear to be a part of the way Java normally functions,” says Eric Milam, vice president of Guard Services at BlackBerry.  

Milam adds that malware writers constantly seek new ways of flying under the radar, noting that they are moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. The overlap in some of the email addresses, as well as the text of the ransom note and the naming convention used for encrypted files, suggests a connection between Tycoon and Dharma/CrySIS ransomware.

“We have already seen a substantial increase in ransomware written in languages such as Java and Go,” says Claudiu Teodorescu, director of threat hunting and intelligence at BlackBerry Guard. “This is the first sample we've encountered that specifically abuses the Java JIMAGE format.”

According to the report, Tycoon has been in the wild for at least six months, but there are a limited number of victims, which suggests the malware may be highly targeted. BlackBerry was first approached about Tycoon at the end of April by KPMG, which had been called in by a European university that had been hit with the ransomware. The malware, which initially had a .redrum extension, first surfaced in a forum in Bleeping Computer last December. Later strains examined in the BlackBerru/KPMG report had .thanos extensions.

Milam says Tycoon was deployed in a targeted attack against the university in which the system administrators had been locked out of their systems following an attack on their domain controller and file servers. After conducting forensic investigations of the infected systems, it became clear that the initial intrusion occurred via an Internet facing RDP jump-server. They also found that the attackers were inside the network for an extended period of time, stealing valuable PII (personnel and medical records) before encrypting the systems with the Typhoon ransomware.

Charles Ragland, a security engineer at Digital Shadows, a provider of digital risk protection solutions, says this new research highlights ways cybercriminals change their tactics and techniques to obfuscate malware delivery and evade detection. The cybercriminals gain initial entry via RDP, a commonly exposed service that can easily be misconfigured and abused by attackers.

“Organizations looking to minimize their risk to attacks that leverage this type of infection vector should minimize exposing RDP to the Internet, and enable Network Level Authentication if they haven't already done so,” Ragland says. “While ransomware itself is becoming more and more sophisticated, many of the delivery methods remain the same. Practicing good security hygiene can significantly reduce an organization's attack surface.”

Chris Morales, head of security analytics at Vectra, adds while it’s an important discovery and cause for concern, he sees the BlackBerry/KPMG news as just another manual attack leveraging RDP to drop a file on a server for encryption, something Vectra identified as a trend last year.

“We also identified that ransomware was dropped as a package later in the attack lifecycle, enabling attackers to persist in side networks for days and weeks if not months,” Morales explains. “This is why every ransomware attack becomes a data breach, as the data is stolen before files are encrypted.”

Tycoon ransomware comes in form of a ZIP archive containing a Trojanized Java Runtime Environment (JRE) build. The report says that the malware was compiled into a Java image file (JIMAGE) located at libmodules within the build directory. Using JIMAGE was especially clever because it’s a special file format that stores custom JRE images designed for use by the Java Virtual Machine (JVM) at runtime. It encompasses resources and class files of all Java modules that support the specific JRE build. The format was first introduced in Java version 9 and it’s largely undocumented. Unlike the more popular Java Archive format (JAR), JIMAGE runs internal to the JDK and it’s rarely used by developers.

Milam also adds that by using a Java-based technique, the ransomware could move freely across platforms, attacking the Linux and Windows servers at the university as well as various desktop systems. He says it’s also interesting that the attack was at a university, which he called a “giant playground” for potential cybercriminals.

“Universities are typically very lax when it comes to security, students don’t always come to learn the latest security techniques, they are learning basic subjects,” Milam says. “This could be a part of a much larger campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments.”

BlackBerry said nothing specific has yet been released about the extent of the damage to the European university.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.