BlackBerry report details new ransomware strain targetting Windows, Linux

BlackBerry header

BlackBerry Threat Intelligence, in partnership with KPMG, released a report detailing a newly discovered ransomware strain.

Dubbed ‘Tycoon,’ the ransomware abuses the Java ‘JIMAGE’ format to create a custom, malicious Java Runtime Environment (JRE) build. According to BlackBerry, Tycoon targets Windows and Linux system and it’s been observed in the wild since at least December 2019.

In the report, BlackBerry notes that the threat actors behind Tycoon appear to use highly targetted delivery mechanisms. Specifically, the threat actors use it infiltrate small- and medium-sized businesses and institutions in education and software industries. Once infiltrated, the actors would encrypt file servers and demand a ransom.

However, BlackBerry reports that the attack reuses a common RSA private security key. Because of this, BlackBerry says it may be possible to recover the encrypted data without the need for payment in earlier variants of Tycoon.

Further, BlackBerry says that it saw a substantial increase in ransomware written in languages like Java and Go. However, this is the first time it encountered ransomware that abused the JIMAGE format.

Those interested in reading through the technical details of Tycoon should check out BlackBerry’s full report. It breaks down how threat actors deliver Tycoon to targets, how the ransomware operates and the effects.

The report is available on BlackBerry’s website here.