New Java-Based Ransomware Targets Linux and Windows Systems (zdnet.com) 37
"A newly uncovered form of ransomware is going after Windows and Linux systems," reports ZDNet, "in what appears to be a targeted campaign."
Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cyber criminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks. The main targets of Tycoon are organisations in the education and software industries.
Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It's an unusual form of ransomware because it's written in Java, deployed as a trojanised Java Runtime Environment and is compiled in a Java image file (Jimage) to hide the malicious intentions... [T]he first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing Remote Desktop Protocol servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack...
After execution, the ransomware encrypts the network with files encrypted by Tycoon given extensions including .redrum, .grinch and .thanos — and the attackers demand a ransom in exchange for the decryption key. The attackers ask for payment in bitcoin and claim the price depends on how quickly the victim gets in touch via email.
The fact the campaign is still ongoing suggests that those behind it are finding success extorting payments from victims.
Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It's an unusual form of ransomware because it's written in Java, deployed as a trojanised Java Runtime Environment and is compiled in a Java image file (Jimage) to hide the malicious intentions... [T]he first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing Remote Desktop Protocol servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack...
After execution, the ransomware encrypts the network with files encrypted by Tycoon given extensions including .redrum, .grinch and .thanos — and the attackers demand a ransom in exchange for the decryption key. The attackers ask for payment in bitcoin and claim the price depends on how quickly the victim gets in touch via email.
The fact the campaign is still ongoing suggests that those behind it are finding success extorting payments from victims.
Wait, what? Blackberry? (Score:5, Funny)
The biggest news here is that Blackberry still exists.
Java can never be made secure (Score:1)
Change my mind.
Re: (Score:2)
Volunteering for brain surgery?
Re: (Score:2)
I mean sure, maybe it's technically possible in the same way that a pair of 20 year old college girls might knock on my door with a six pack of my favorite beer and an awful fierce yearning, but I'm not holding out any hopes.
Re: (Score:2)
Re:Java can never be made secure (Score:4, Informative)
I have no inclination to want to change your mind, but your comment is irrelevant.
This vulnerability is exploited through a trojan.
Once you can convince and end user to execute arbitrary executables on their operating system in the first place, it generally doesn't matter what language it was developed in.
The underlying exploit described here is not in any way especially connected to Java.
Re: (Score:2)
Once you can convince and end user to execute arbitrary executables on their operating system in the first place, it generally doesn't matter what language it was developed in.
The underlying exploit described here is not in any way especially connected to Java.
In this case, the attack was via RDP, in which case it seems the passwords were known. There was no security here.
RDP, sh, cmd and java are all part of the same delivery mechanism here.
Re: (Score:2)
speed (Score:1)
Well since it is java, we will be able to stop it before it does any damage due to its speed :)
I'll be here all week - dha dum
Re: (Score:3, Insightful)
Java is very fast. Maybe you're confusing Java of today with Java of 1996.
Re: (Score:2)
That's right. Everyone knows today's Java can't even run last year's Java programs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Java CAN be fast, unfortunately it's usually fast in the same way a greyhound chasing his tail is fast.
Thanks Microsoft (Score:2)
RDP, another fine Microsoft product.
And Java from Oracle. (yeah I know Sun, but it's Oracle's problem now)
The gifts that keeps giving.
Re: (Score:2)
The gifts that keeps giving.
More like "the gift that keeps on taking."
Java? (Score:5, Insightful)
I feel like this is an unfair slight against java. Is slashdot going to go retroactively update all the previous malware posts to say "written in c++"? or "All the expliots are targeting buffer overflows because the software was written in c++?"?
Re: Java? (Score:3)
Only when C/C++ based malware becomes relatively unusual.
Re: (Score:2)
It's already more unusual than Java by some indexes.
Re: (Score:2)
That's an amusing assertion.
Re: (Score:2)
Is there another malware written in Java? (Score:2)
What's weird about this malware is that it's written in Java.
That's a strange choice for a malware, to require a compatible JRE.
Re: (Score:3)
From the article, it sounds like the malware is part of a trojan JRE so it doesnt require a JRE, it IS a JRE
Re: (Score:1)
It is just about how skilled people are using unconventional languages to perform the same old activities.
Actually, I'm not even surprised, trying to exploit a platform to convey their own agenda will be regardless of a particular language.
You would not select a language to exploit a platform, you would study a platform to know how to breach it.
It is not that C/C++ were made exploitable friendly, it w
This is big news! (Score:3)
The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop removal of their attack.
So the attack uses privileges. Huh. So why don't we remove all privileges to stop this? (joking)
Anyway, changing the IFEO key requires admin privileges as does using ProcessHacker to stop the anti-malware service.
This is big news!
We have learned that people who have servers with remote logins exposed to the Internet with weak passwords on admin accounts can have problems.
Why doesn't someone let us know about the risks in doing that?
Re: (Score:2)
Thanks for the finding (was too lazy to read the details). So badly behind patches or weak passwords on admin accounts. Looks like I can ignore this one, at least on my personal servers.
Write Once, Run Anywhere! (Score:2, Troll)
The problem is ransomware pays (Score:3)
Since the criminals behind malware have finally (from their perspective) found a good, reliable revenue stream, ransomware is going to get better and better. They now apparently have well-structured teams, development and deployment processes, etc. And since so many organizations have IT security that sucks, this is not going to change anytime soon. The move to Java is probably because you can get developers more easily and because they can target more than one platform with the same code.
Re: (Score:2)
"The move to Java is probably because you can get developers more easily and because they can target more than one platform with the same code."
Another outstanding reason not to put Java on your PC.
Re: (Score:2)
Re: (Score:2)
The real answer is don't expose insecure applications like RDP on the internet.
Well, the stupidity of that is staggering. But so is, say, not protecting your AWS container with a password before dumping your customer database in it. And that seems to happen regularly.
The actual problem is far too many coder, system administrators and other IT folks that are simply incompetent. And the problem behind that is stupid hiring managers that hire for cheap and do not realize they are paying a huge price for that.
Time will fix this, and eventually you will have to be a real engineer to do IT
Badly written low quality story, bro (Score:4, Insightful)
Re: (Score:2)
The article was written by yet another clueless tech writer. I think their thought process goes something like: Windows does it this way, and Linux must do it the same way since Windows is Some How Invented Terribly, and there is no other way to do it. So if Windows is vulnerable, Linux must be vulnerable, too.
Re: (Score:3, Informative)
"The malicious JRE build contains both Windows® and Linux® versions of this script, suggesting that the threat actors are also targeting Linux® servers:"
And at the beginning in the overview the article states:
"Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that has been observed in-the-wild since at least December 2019"
In other words, the exploit was found on Windows and they assume
Too bad (Score:2)
Too bad I don't install Java on anything, ever. It's shitware.
Dang, I guess I miss out AGAIN on this amazing new virus or malware or whatever is is.