The FBI’s Internet Crime Complaint Sincenter (IC3) released its Cybercrime Report last year,media reported. Cybercrime caused $3.5 billion in huge losses in 2019, according to the report. Attackers use ransom software to extract money from businesses and individual users. BlackBerry’s security research department recently discovered a new ransom software that has affected an educational institution in Europe. Unlike most ransom software found so far, this new ransom software module is compiled into a Java image file format (JIMAGE).
JIMAGE is a file format that stores custom JRE images and is designed to be used by Java virtual machines (JVMs) at runtime.
Here’s how the attack was:
To achieve persistence on the victim’s machine, the attacker used a technique called Image File Execution Options, IFEO injection. IFEO settings are stored in the Windows registry. These settings give developers an option to debug their software by attaching an additional debugging application during the execution of the target application.
A back door is then executed along with the operating system’s Microsoft Windows On-Screen Keyboard (OSK) feature.
The attacker used the ProcessHacker tool to disable the organization’s antimalware solution and change the password of the active directory server. This prevents victims without access to their systems.
Most of the attacker’s files were time-limited, including the Java library and execution script, and the file date was timed at 15:16:22 on April 11, 2020
Finally, the attacker executed the Java ransom software module, encrypting all file servers, including the backup system connected to the network.
After extracting the zip file associated with the ransom software, there are three modules under the name “Tycoon”. So the BlackBerry team named the ransom software “The Tycoon”.
Here’s a look at the ransom note for Tycoon: