Security News > 2020 > June > Multi-Platform 'Tycoon' Ransomware Uses Rare Java Image Format for Evasion

Multi-Platform 'Tycoon' Ransomware Uses Rare Java Image Format for Evasion
2020-06-04 18:38

A recently discovered multi-platform Java ransomware uses a Java image file to evade detection, BlackBerry security researchers report.

After establishing a foothold onto the environment, the attackers executed the Java ransomware module, which encrypted all file servers connected to the network, including backup systems.

The ransomware is deployed as a ZIP archive containing a trojanized Java Runtime Environment build and is compiled into a Java image file.

First introduced in Java version 9, the file format is sparsely documented and is rarely used by developers, BlackBerry explains.

"However, one of the victims seeking help on the BleepingComputer forum posted a private RSA key presumably coming from a decryptor the victim purchased from the attackers. This key has proven to be successful in decryption of some of the files affected by the earliest version of Tycoon ransomware that added the.redrum extension to the encrypted files," the researchers explain.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/ymeta_HBtPg/multi-platform-tycoon-ransomware-uses-rare-java-image-format-evasion