Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cyber criminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks.
Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that has been observed in-the-wild since at least December 2019. It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.
The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom. However, due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants.
To read more go here