Tycoon Ransomware
The Tycoon Ransomware is a new strain of ransomware that cybersecurity experts identified as the culprit that managed to encrypt the files stored on the systems of small and medium-sized companies in different parts of the world. It is believed that the Tycoon Ransomware has been employed in attacks since December 2019, but it ramped up its activity in the past few weeks drastically and attracted the attention of security researchers quickly.
A JAVA-Based File-Locker Threatens to Expose Misappropriated Files to the Public
This new file-locker is based on the JAVA programming language, and it appears to be executed on infected systems manually – this means that it is not being propagated via the traditional malware distribution methods and, instead, its operators are launching it manually on systems that have been compromised previously. Such attacks are not that common when it comes to ransomware, and in this case, this is a sign that the Tycoon Ransomware is part of an elaborate, multi-stage attack.
Experts in the cybersecurity field have reached to the conclusion that the Tycoon Ransomware was delivered to the infected systems by abusing vulnerable Remote Desktop Protocol (RDP) services – usually, ones that used weak login credentials. Once the attackers managed to infiltrate the network, they would carry out several other tasks before proceeding to deploy the Tycoon Ransomware:
- They would use public tools like ProcessHacker to eliminate anti-virus software and other security tools.
- They would change the credentials of the Windows Active Directory service, so that system administrators would be unable to access the compromised hosts.
- They plant a backdoor Trojan.
- They make sure to discover all accessible file backups and add them to Tycoon Ransomware's targets.
The Tycoon Ransomware may be Usable on Linux Systems as Well
Once these tasks were taken care of, the Tycoon Ransomware is executed manually with the use of shell script – surprisingly, the infected systems had both a Linux shell script and a Windows batch file on them. This might mean that the Tycoon Ransomware might be used against Linux servers as we – this would also explain why the malicious project was coded in JAVA, a cross-platform compatible programming language.
The files locked by the Tycoon Ransomware would have either the 'grinch' or '.thanos' extension added to their name. Just like other ransomware families, the Tycoon Ransomware also makes sure to drop a ransom note by using the file 'decryption.txt' – according to the ransom message, the authors of the Tycoon Ransomware offer a decryption service that would cost the victim some Bitcoin. The attackers state that they can be reached by messaging ppp4ddd@protonmail.com – they also warn the victim that the ransom fee will be increased by 10% every day, so they should contact the perpetrators as soon as possible.
Unfortunately, the Tycoon Ransomware is impossible to decipher, and it is unlikely that a free decryption utility will be available unless the cybercriminals behind the project decide to abandon the project and help their victims.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.