Linux and Windows systems targeted by new Tycoon ransomware

News
By published

Ransomware attacks Windows and Linux systems

(Image credit: Shutterstock)

A new ransomware strain is targeting Linux and Windows systems across a number of industries, security experts have warned.

The malware, given the name Tycoon by the researchers at BlackBerry Research and Intelligence Team in partnership with KPMG’s UK Cyber Response Services that discovered it, is operating what appear to be highly targeted attacks at SMBs in the software and education industries.

The ransomware is even more dangerous as it does not just affect one family of devices, but both Windows and Linux, which are widely used across the targeted industries.

Tycoon ransomware

The team observed that Tycoon appears to be manually deployed, with the operators targeting individual systems and connecting an RDP server. Once a target had been identified and infiltrated using local administrator credentials, the attacker disabled an antivirus and installed a ProcessHacker hacker-as-a-service utility. 

The ransomware takes the form of a a trojanized Java Runtime Environment (JRE) which escapes detection by piggy-backing on an obscure Java image format. The settings for image file execution options (IFEO) are stored in the Windows registry, ostensibly to give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.

Once the ransomware is executed on a system, the malware would proceed to encrypt file servers and demand a ransom from the victims. BlackBerry noted that the malicious JRE build used contained both Windows and Linux versions, suggesting the criminals wanted to target multiple systems and servers.

"Malware writers are constantly seeking new ways of flying under the radar," BlackBerry wrote in a blog post explaining the findings. "They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build."

"Tycoon has been in the wild for at least six months, but there seems to be a limited number of victims. This suggests the malware may be highly targeted. It may also be a part of a wider campaign using several different ransomware solutions, depending on what is perceived more successful in specific environments."

TOPICS
Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Latest in Security
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Latest in News
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
More about security
IBM office logo

IBM to provide platform for flagship cyber skills programme for girls
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

A Minecraft sheep.

Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
See more latest
Most Popular
A Minecraft sheep.
Minecraft developer rejects generative AI, 'it's important that it makes us feel happy to create as humans'
Nvidia AMD
Nvidia rumors suggest it's working on two affordable GPUs to spoil AMD's party
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Visual Intelligence identifying a dog
AirPods with cameras for Visual Intelligence could be one of the best personal safety features Apple has ever planned – here's why
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras