A new Java-based ransomware targets Windows and Linux

Zack Whittaker

Security researchers have discovered a new kind of ransomware that uses a little-known Java file format to make it more difficult to detect before it detonates its file-encrypting payload.

Consulting giant KPMG's incident response unit was called in to run the recovery effort at an unnamed European educational institute hit by a ransomware attack. BlackBerry's security research unit, which partners with KPMG, analyzed the malware and published its findings Thursday.

BlackBerry's researchers said that a hacker broke into the institute's network using a remote desktop server connected to the internet, and deployed a persistent backdoor in order to gain easy access to the network after they leave. After a few days of inactivity to prevent detection, the hacker re-enters the network again through the backdoor, disables any running anti-malware service, spreads the ransomware module across the network, and detonates the payload, encrypting each computer's files and holding them hostage for a ransom.

The researchers said it was the first time they've seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.

BlackBerry named the ransomware 'Tycoon," referencing a folder name found in the decompiled code. The researchers said the module had code that allows the ransomware to run on both Windows and Linux computers.

Ransomware operators typically use strong, off-the-shelf encryption algorithms to scramble victims' files in exchange for a ransom, often demanded in cryptocurrency. For most victims, their only options are to hope they have a backup or pay the ransom. (The FBI has long discouraged victims from paying the ransom.)

But the researchers said there was hope that some victims could recover their encrypted files without paying the ransom. Early versions of the Tycoon ransomware used the same encryption keys to scramble their victims' files. That means one decryption tool could be used to recover files for multiple victims, the researchers said. But newer versions of Tycoon seem to have fixed this weakness.

BlackBerry's Eric Milam and Claudiu Teodorescu told TechCrunch that they have observed about a dozen "highly targeted" Tycoon infections in the past six months, suggesting the hackers carefully select their victims, including educational institutions and software houses.

But, as is often the case, the researchers said that the actual number of infections is likely far higher.

As ransomware gets craftier, companies must start thinking creatively


More From

  • How Have I Been Pwned became the keeper of the internet's biggest data breaches

    When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach? Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard 'p' — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it's grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt's original question is more clear.

  • The UK government to acquire satellite company OneWeb in deal funded in part by India's Bharti Global

    Distressed satellite constellation operator OneWeb, which had entered bankruptcy protection proceedings at the end of March, has completed a sale process, with a consortium led by the UK Government as the winner. The group, which includes funding from India's Bharti Global – part of business magnate Sunil Mittal's Bharti Enterprises – plan to pursue OneWeb's plans of building out a broadband internets satellite network, while the UK would also like to potentially use the constellation for Positioning, Navigation and Timing (PNT) services in order to replace the EU's sat-nav resource, which the UK lost access to in January as a result of Brexit.

  • Lime puts Jump bikes back on London streets

    Jump bikes are returning to London — this time through its new owner Lime . London is the first city in Europe to see Jump bikes return since Uber offloaded the company to Lime in a complex deal that unfolded in May. Lime raised $170 million in a funding round led by Uber, along with other existing investors Alphabet, Bain Capital Ventures and GV. As part of the deal, Lime acquired Jump, the electric bike and scooter division that Uber acquired in 2018 for around $200 million.

  • Intel to invest $253.5 million in India's Reliance Jio Platforms

    Intel said on Friday it will invest $253.5 million in Jio Platforms, joining a roster of high-profile investors including Facebook, General Atlantic, and Silver Lake that have backed India’s top telecom operator in recent months. The American chipmaker's investment arm said it is acquiring a 0.39% stake in Jio Platforms, giving the Indian firm a valuation of $65 billion. Intel Capital is the 12th investor to buy a stake in Jio Platforms, which has raised more than $15.5 billion by selling a 25% stake since April this year.