By Kelly Sheridan – A newly discovered form of Java-based ransomware has been spotted in active and seemingly targeted attacks on education and software companies, researchers from BlackBerry and KPMG report. This strain, dubbed Tycoon, uses an obscure Java image format to bypass security tools.

The discovery began when KPMG’s UK Cyber Response Services team was contacted to respond to a targeted attack against an educational institution. BlackBerry’s Research and Intelligence team, which works with KPMG, analyzed the threat. The Tycoon ransomware, they say, has been observed in the wild since December 2019 and targets both Windows and Linux machines. Its victim count is “limited,” researchers say, suggesting it may be a highly targeted threat.

In this case, an attacker connected to the target system using a Remote Desktop Protocol (RDP) server on the network, then located a target and obtained local administrator credentials. From there, they located a target and obtained local administrator credentials, installed process hacker-as-a-service, and disabled antivirus. They dropped a backdoor so they could gain re-entry and left.

Seven days later, the attacker connected to an RDP server and used it to move laterally across the network, making RDP connections to multiple systems. Analysis indicates RDP connections were manually initiated for each server, BlackBerry’s team states in a blog post. The attacker then ran process hacker-as-a-service and disabled antivirus, then executed the ransomware. It follows this same process for each infected server on the network, and files are encrypted with extensions including .thanos, .grinch, and .redrum. Read On: