Security researchers have discovered a new kind of ransomware that uses a Java file format that is difficult to detect before detonating the file encryption payload.
In an educational institution in Europe, which was not renowned by ransomware attacks, they contacted the incident response department of the giant KPMG. The security research department of Blackberry, which is partnering with KPMG, analyzed the malware on Thursday and published the results.
Researchers at Blackberry said the hacker used a remote desktop server connected to the Internet to break into the lab’s network and built a persistent backdoor for easy access after leaving the network. To prevent detection, after a few days of inactivity, hackers re-enter the network through backdoors, disable running anti-malware services, spread ransomware modules on the network, and detonate payloads to encrypt files on each computer And store. Hostage for the ransom.
Researchers said they were new to ransomware modules compiled with the Java image file format or JIMAGE. This file contains all the components needed to run the code (similar to a Java application), but it is rarely detected by the antimalware engine and may not be detected.
Ransomware operators typically use strong commercial encryption algorithms to scramble victims’ files in exchange for ransom, which often requires decryption. The only option for most victims is to take a backup or pay a ransom. (The FBI has been discouraged for a long time to prevent victims from paying ransom.)
However, researchers said there was hope that some victims could recover the encrypted files without paying a ransom. Early versions of Tycoon ransomware scrambled victim’s files using the same encryption key. This means you can recover files from multiple victims using one decryption tool. However, the latest version of Tycoon seems to have addressed this vulnerability.
Blackberry’s Eric Milam and Claudio Teodorescu have observed 12 “targeted” Tycoon infections in TechCrunch over the past six months, and hackers have carefully identified victims, including educational institutions and software houses. Suggested to choose.
But as often, researchers said, the actual number of infections will be much higher.