A Java-based ransomware that targets the software market and education sectors has been spotted in the wild by Blackberry.
The BlackBerry Research and Intelligence Team, working with KPMG’s UK Cyber Response Services, recently discovered the ransomware, dubbed “Tycoon.” The ransomware is written in Java and has been in the wild since at least December 2019.
According to the researchers, “it is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.”
Once a computer has been infiltrated, the software encrypts files using an AES-256 algorithm. To make matters worse, the ransomware overwrites deleted files in each encryption path, ensuring they cannot be recovered without the decryption key.
There are two spots of good news, however. First, it does not appear that the ransomware is widespread, leading the researchers to believe “the malware may be highly targeted.”
Even better, it appears the hackers used the same encryption key repeatedly. As a result, some have had success using a deception key purchased by one of the other victims.
“Because of the use of asymmetric RSA algorithm to encrypt the securely generated AES keys, the file decryption requires obtaining the attacker’s private RSA key,” the researchers write. “Factoring a 1024-bit RSA key, although theoretically possible, has not been achieved yet and would require extraordinary computational power.
“However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the .redrum extension to the encrypted files.”
Unfortunately, later versions of the malware use “.grinch” and “.thanos” as the file extensions, and the reused key does not work on those files.