Researchers uncovered new ransomware, known as ‘Try2Cry’, which is striking Windows users through the help of USB flash drive.
‘Try2Cry’ is a .NET ransomware and also an alternative of the open-source Stupid ransomware family. Researchers after investigating a sample that is confused with the DNGuard code protection tool.
Karsten Hahn a, G DATA malware analyst found USB worm segments and some unidentified malware samples. Not only this but also composed some Yara rule to identify other examples that were uploaded to VirusTotal and were able to investigate the sample that is confused with the DNGuard code protection tool.
The ransomware is likely to be created by less experienced malware developers and is continually applying law enforcement and different pop culture themes. That’s why there are 10 Try2Cry malware samples that are detected by the experts of the virus total during the whole investigation.
Here are the strings listing that indicates the following points:-
- DNGuard was used to protect the sample.
- .Try2Cry extension is conjoined to encrypted files
- The contact email is [email protected]
Try2Cry belongs to the stupid ransomware family, and that’s why the threat actors gave its name by themselves. “Stupid” is open-source ransomware on Github that has numerous variants.
Security experts detected two variants of this ransomware, one is Sample 2, and the other one is sample 3.
Sample 2 is a slight obfuscation, while Sample 3 has no worm element but also no obfuscation as well. Presenting it as a better candidate for code-based screenshots, and not only that even it also uses the Arabic ransom notes as well.
Worming Through USB Drives
Try2Cry is one of the ransomware that is quite interesting with its own feature, and its open-source feature makes it a member of the Stupid ransomware family. Try2Cry initially looks for any movable drives that are connected to the settled computer, and then it assigns a copy of itself, which is named as Update.exe to the root folder of every USB flash drive.
Once it has done so, it will hide each file on the portable drive and will substitute them with Windows shortcuts along with the same icon. So, if you click them, then all these shortcuts will open the original file and will also start the Update.exe Try2Cry ransomware payload in the background.
The Try2Cry ransomware uses the Rijndael encryption method, the predecessor of AES; here, the password of this encryption are robust and reliable. The encryption key is produced by measuring a SHA512 hash of the password and utilizing the initial 32-bits of this hash.
Whereas the IV creation is nearly the same as the key, but it utilizes the next 16-bits of the same SHA512 hash. Therefore, the developer set an allowance for the machine names DESKTOP-PQ6NSM4 and IK-PC2.
Here are the Extensions Used By The Try2Cry Ransomware:-
Fortunately, Try2Cry ransomware is decryptable like other ransomware of Stupid ransomware family, and it shows that this ransomware is also created by low skilled developers. Moreover, the victims of Try2Cry ransomware can easily decrypt their files for free.
You can also read the complete ransomware mitigation checklist.
Also Read :