GettyImages 1191423586

Security researchers have discovered a dangerous new strain of ransomware targeting Linux and Windows systems that uses a Java file format, making it highly difficult to detect before it detonates its file-encrypting payload.

Consulting giant KPMG’s incident response unit was called in to run the recovery effort at an unnamed European educational institute hit by a ransomware attack. BlackBerry’s security research unit, which partners with KPMG, analyzed the malware and published its findings Thursday.

BlackBerry’s researchers said that a hacker broke into the institute’s network using a remote desktop server connected to the internet, and deployed a persistent backdoor in order to gain easy access to the network after they leave. After a few days of inactivity to prevent detection, the hacker re-enters the network again through the backdoor, disables any running anti-malware service, spreads the ransomware module across the network and detonates the payload, encrypting each computer’s files and holding them hostage for a ransom.