Detection Content: Tycoon Ransomware

Despite the fact that new ransomware families appear quite often, most of them are focused exclusively on Windows systems. Way more interesting is Tycoon, a multi-platform Java ransomware that can encrypt files on both Windows and Linux systems. This family has been observed in-the-wild since at least December 2019. Its authors compiled it into a little-known Java image file format that allows ransomware to fly under the radar.

The ransomware is housed in a trojanized version of the Java Runtime Environment. Its primary victims largely appear to be small and medium-sized organizations in the software and education industries. Adversaries use customized lures in highly targeted attacks. In at least one case, adversaries penetrated the organization’s network via an Internet-facing RDP jump-server.

They used the technique Image File Execution Options injection (T1183) to achieve persistence on the compromised systems. Then attackers executed a backdoor alongside the Microsoft Windows On-Screen Keyboard feature and disabled the anti-malware solution and changed the passwords for Active Directory servers.

Researchers suggest that Tycoon ransomware can be used by the same cybercriminals who distribute Dharma / CrySIS ransomware and that attackers choose which tool to use depending on the victim’s environment. 

New community Sigma rule by Ariel Millahuel helps to detect Tycoon ransomware when it prepares to start encrypting files on the infected systems: https://tdm.socprime.com/tdm/info/uqCfDQqIdCq1/SD26mHIBQAH5UgbBgDPq/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Privilege Escalation, Persistence, Defense Evasion, Execution

Techniques: Command-Line Interface (T1059), Image File Execution Options Injection (T1183)