Linux and Windows PCs Targeted By New Ransomware

Walden Systems Geeks Corner News Linux and Windows PCs Targeted By New Ransomware Rutherford NJ New Jersey NYC New York City North Bergen County
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.

A new ransomware was found that goes after Windows and Linux systems. The ransomware is called Tycoon after references in the code. This ransomware has been active since December 2019 and looks highly selective in their targets. The malware also uses an unusual deployment technique that helps stay hidden on compromised networks.

Tycoon looks to be targeting educational and software industries. Tycoon was discovered by researchers at BlackBerry working with security analysts at KPMG. It's unusual ransomware because it's written in Java, deployed as a trojan Java Runtime Environment and is compiled in a Java image file to hide itself. Java is seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks. Hackers are shifting towards uncommon programming languages and obscure, data formats. In this case, hackers didn't need to obscure their code but were successful.


The initial intrusion comes from insecure internet-facing RDP servers. This is a common method for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the code maintain persistence by using Image File Execution Options injection settings that usually provide developers the ability to debug software. The hackers also use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack.

Ransomware can be implemented in high-level languages such as Java with no obfuscation and executed. When executed, the ransomware encrypts the network with files encrypted by Tycoon given extensions including .redrum, .grinch and .thanos. The hackers then demand a ransom in exchange for the decryption key. The hackers claim the price of the key depends on how quickly the victim responds.

So far, researchers have only seen Tycoon targeting Windows in the wild, but shell scripts in the ransomware's Java modules contain both Windows and Linux variants, suggesting that the hackers also developed a Linux version. Researchers think that Tycoon could be linked to another form of ransomware called Dharma or Crysis. This is because of the similarities in the email addresses, names of encrypted files and the text of the ransom note.

While Tycoon does have some unique means of executing an infection, like other forms of ransomware, it's possible to defend against it. Since RDP is a common attack vector, admins can ensure that the only ports are absolutely necessary. Admins should make sure that accounts that do need access aren't using default credentials or weak passwords that can easily guessed. Applying security patches can also prevent many ransomware attacks, as it stops criminals exploiting known vulnerabilities.Admins should also ensure they regularly backup their network so that if the worst happens, the network can be restored without paying the ransom.