What Ransomware Written in Java?
You should all know that ransomware is typically written in JavaScript, ActionScript, C#, C++ and even Golang. But a new family of ransomware aims to get under the detection radar by porting itself to Java. It is named Tycoon, and appeared in December 2019. As it is a Java executable, it is able to run on a range of systems including Windows and Linux.
As with many ransomware attacks, the malware tries to get into the network through RDP (Remote Desktop Protocol), such as using stolen credentials. Once the intruder gains the administration credentials, they then disable the anti-virus software and plant a backdoor onto the network:
Then, typically on Day 7, the intruder makes RDP connections to machines on the network, and disables the AV software, and runs the ransomware. The method used to gain persistance on a machine is: IEFO (Image File Execution Options) — and which is normally used by developers to debug their code. A backdoor is then placed in Microsoft Windows On-Screen Keyboard (OSK) feature: