It is the Tuesday morning after a long weekend. You come into work early to get caught up on emails only to find you are completely locked out. You have been hit by a ransomware attack. You ask yourself, “What happened? And how do I fix it?”

This post will explore three of the most significant ransomware families of 2020: Tycoon, Ryuk and REvil. After discussing how these strains work, we’ll share some best practices that organizations can use to defend themselves against a ransomware infection.

Tycoon

Tycoon is compiled in the Java image format, ImageJ, and is deployed using a trojanized version of Java Runtime Environment (JRE). This is an odd methodology for ransomware that is not often seen. The Tycoon ransomware often uses an insecure connection to an RDP server as its way into the network. Once inside the network, it will disable anti-malware software so that it can remain undetected on the system until the attack is finished.

This crypto-malware strain has been around since December of 2019. Tycoon’s code is written to be used against both Windows and Linux systems and is used to target small- and medium-sized businesses (SMBs), primarily in the software and education industries. It is believed that Tycoon may be linked to Dharma (Crysis) due to similarities in the naming conventions and email addresses used.

According to TechRadar, Tycoon has a very limited number of victims due to its specified targets. In early versions of the Tycoon ransomware, some victims were able to recover their encrypted data with the use of an RSA key bought from other victims because the ransomware repeated the use of some keys. However, this is not the case with more recent versions.

Ryuk

Ryuk works in two parts. The first is a dropper (Read more...)