As standard ransomware reaches its limits, developers are becoming increasingly creative with their ideas for new variants. They are currently trying out cross-platform malware based on Java.
Java was originally developed to provide software that, once developed, can be used on many operating systems. This principle has long ceased to play a significant role in application development. It is all the more remarkable that malware programmers are now pulling the concept out of the moth box again.
The discoverers of the malicious code are no less unusual: the analysis was not carried out by a traditional security company, but by security experts at BlackBerry with the support of IT specialists from the consulting firm KPMG. They named the ransomware, which has probably been active since December 2019, based on references in the source code the name Tycoon.
The malicious code itself uses various fairly widespread techniques with which it can remain reasonably well camouflaged in compromised systems and networks. According to the knowledge gained so far, the ransomware is primarily aimed at users who worked in the education system or in the software industry. The use of Java could not only serve the purpose of being able to attack several platforms at the same time – Tycoon was found on Windows and Linux computers.
It is also relatively rare for malware authors to use this language and package their code in Java image files. They may have speculated that they would act less conspicuously. Otherwise, the ransomware follows the usual procedure of encrypting the user’s files in connection with corresponding ransom demands.