Caleb Boma | June 12th, 2020

Ransomware groups continue to innovate with new ways of locking down environments. SpearTip has analyzed several new approaches over the last several weeks. One of the latest ransomware projects is Java based ransomware. This ransomware has been observed “in the wild” but not yet on a widespread basis.

Java based ransomware is difficult for many security solutions to detect. Why? Because it is leveraging the Java image file format, or JIMAGE and virtualization provided by the Java Runtime Environment. Many solutions are unable to recognize the encryption routines used to lock down files.

Prior to running the Java based ransomware, cyber criminals will often look for weak points within your organization to gain entry into your network. One example of this is RDP (Remote Desktop Protocol). If the protocol is open to the public internet, the cyber criminals are able to easily exploit known weaknesses. This is an easy way for them to access your environment, escalate privileges, and then lock down your files. After locking the files, most cyber criminals demand a substantial ransom to unlock the files. In general, prevention of this type of attack is the best approach, and it is advised to not pay the ransom.

Although Java based ransomware is not completely new, it has been active before. Yet, as security solutions prevent tradition ransomware attacks, cyber criminals are discovering that most security systems are not equipped to stop this type of threat. SpearTip expects to see these groups continuing to creatively find ways to ransom environments.

It is important to constantly evaluate your organization’s security posture. Human-based cyber expertise is critical to stopping these threats. SpearTip’s ShadowSpear® platform has the capabilities to stop ransomware before it compromises an environment, even emerging types of ransomware.

To learn more about ShadowSpear®, visit

24/7 Breach Response: 833.997.7327