Security researchers have discovered a new kind of ransomware that uses a little-known Java file format to make it more difficult to detect before it detonates its file-encrypting payload.

Consulting giant KPMG’s incident response unit was called in to run the recovery effort at an unnamed European educational institute hit by a ransomware attack. BlackBerry’s security research unit, which partners with KPMG, analyzed the malware and published its findings Thursday.

BlackBerry’s researchers said that a hacker broke into the institute’s network using a remote desktop server connected to the internet, and deployed a persistent backdoor in order to gain easy access to the network after they leave. After a few days of inactivity to prevent detection, the hacker re-enters the network again through the backdoor, disables any running anti-malware service, spreads the ransomware module across the network and detonates the payload, encrypting each computer’s files and holding them hostage for a ransom.

The researchers said it was the first time they’ve seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.

BlackBerry named the ransomware “Tycoon,” referencing a folder name found in the decompiled code. The researchers said the module had code that allows the ransomware to run on both Windows and Linux computers.

Ransomware operators typically use strong, off-the-shelf encryption algorithms to scramble victims’ files in exchange for a ransom, often demanded in cryptocurrency. For most victims, their only options are to hope they have a backup or pay the ransom. (The FBI has long discouraged victims from paying the ransom.)

But the researchers said there was hope that some victims could recover their encrypted files without paying the ransom. Early versions of the Tycoon ransomware used the same encryption keys to scramble their victims’ files. That means one decryption tool could be used to recover files for multiple victims, the researchers said. But newer versions of Tycoon seem to have fixed this weakness.

BlackBerry’s Eric Milam and Claudiu Teodorescu told TechCrunch that they have observed about a dozen “highly targeted” Tycoon infections in the past six months, suggesting the hackers carefully select their victims, including educational institutions and software houses.

But, as is often the case, the researchers said that the actual number of infections is likely far higher.