Tycoon was originally known as RedRum. It uses AES256 GCM and RSA-1024 to encrypt files.
The company provided a download link for the decryptor and asked those who wanted to use it to run the software as administrator.
None of the encrypted files would be removed by default, as there was no guarantee that the decrypted data would be identical to the original.
"If you want the decryptor to remove any encrypted files after they have been processed, you can disable this option. Doing so may be necessary if your disk space is limited," the company said.
Tycoon submissions to ID Ransomware over the last six months, with each submission representing an actual incident. Emsisoft guesstimates that only about 25% of ransomware victims use ID Ransomware, so the actual number of incidents would be about 4x higher.
Emsisoft ransomware researcher Brett Callow told iTWire that Tycoon was Java-based ransomware first noticed in December 2019. It appeared to primarily target smaller companies via attacks on improperly secured RDP.
"Our decryptor will enable the recovery of files encrypted with the .RedRum extension used by one variant, but not files encrypted by other variants with other extensions," he added.
"In the case of those other extensions, the only recovery option is via back-ups. Or by greasing the criminals' palms, of course.
"Companies can avoid being hit by Tycoon by adhering to oft-touted (and oft-ignored) best practices: disable RDP when not needed or lock it down, disable PowerShell when not needed, patch promptly, use multi-factor authentication everywhere it can be used, and so on."