A new ransomware has been uncovered by Blackberry that has been “in-the-wild” since at least December 2019.

Named “Tycoon”, it targets Windows and Linux systems on compromised networks. And it seems to specifically target the education and software sectors.

It’s an unusual form of ransomware because it’s written in Java, deployed as a trojanised Java Runtime Environment and is compiled in a Java image file (Jimage) to hide the malicious intentions.

However, the first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing RDP servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords.


By implementing multi-factor authentication with GreenRADIUS, organizations can protect their RDP servers even if passwords are weak or have been compromised. By using tokens such as YubiKeys with GreenRADIUS, RDP logins are secured by requiring password plus token. And the same tokens with GreenRADIUS can be used to secure logins for Windows Logon, Linux SSH, ADFS, VPN, network equipment, websites, and other integrations.