Try2Cry Ransomware targeting Windows systems and spreads by infecting USB flash Drives

Try2Cry Ransomware targeting Windows systems and spreads by infecting USB flash Drives
Image by nupittus_art from iStock

A new ransomware comes into limelight which is trying to worm its way onto other Windows computers by infecting USB flash drives and using Windows shortcuts (LNK files) posing as the target's files to tempts them into infecting themselves. The researcher named it Try2Cry Ransomware.

The Try2Cry ransomware was discovered by Karsten Hahn (Malware Analyst at G DATA)  when a detection signature designed to spot USB worm components got triggered while analyzing an unidentified malware sample. Try2Cry is a .NET ransomware and also an another variant of the open-source stupid ransomware family as Karsten Hann found after analyzing a sample obfuscated with the DNGuard code protection tool.

Ten other Try2Cry ransomware samples were found by the security researcher on VirusTotal while hunting down for a variant that wasn't obfuscated to make the analysis easier, some of them also lacking the worm component.

Decryptable ransomware with a failsafe

After infecting a device, Try2Cry ransomware will encrypt .doc, .jpg, .ppt, .xls, .docx, .pdf, .pptx, .xls, and .xlsx files, appending a .Try2Cry extension to all encrypted files. The victims' files are encrypted using the Rijndael symmetric key encryption algo and a hardcoded encryption key.

Karsten Hann explained that the encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash. The IV creation is almost identical to key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash.

Try2Cry Ransomware targeting Windows systems and spreads by infecting USB flash Drives
Source: Karsten Hahn (Try2Cry encryption key calculation)

Try2Cry's developer has also included a failsafe within the ransomware's code designed to skip the encryption on any infected systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names. This is most probably a safeguard measure designed to allow malware's creator to test the ransomware on his own devices without risking inadvertently locking his own files.

Try2Cry Ransomware targeting Windows systems and spreads by infecting USB flash Drives
Source: Karsten Hahn (Try2Cry ransom note in strings listing)

Worming its way through USB devices

The most interesting feature of Try2Cry is its capability to infect and attempt to spread to other potential victim's devices via USB flash drives. Try2Cry first looks for any removable devices like pendrives and harddrives connected to the compromised computer and it will send a copy of itself named Update.exe to the root folder of each USB device it finds.

Next, it will hide all files on the removable device and will replace them with Windows shortcuts (LNK files) with the same icon. When victim clicked, all these shortcuts will open the original file and will also launch the Update.exe Try2Cry ransomware payload in the background.

Try2Cry Ransomware targeting Windows systems and spreads by infecting USB flash Drives
Source: Karsten Hahn (Try2Cry infecting USB drives)

This ransomware also creates visible copies of itself on the USB drives, using the default Windows icon folder with Arabic names, in the hope that's curious victims will click on them and infect themselves. TryCry's ransomware windows shortcuts also feature the arrows on the side of the shortcut icons which makes it a lot easier to spot after infecting a USB flash drive.

The use of Arabic names is also a dead giveaway that something is not right if this ransomware infects USB devices used by targets who don't speak Arabic. Just like other Stupid ransomware variants, Try2Cry ransomware is also decryptable, a sure sign that it was also created by someone with very little programming experience.

Just last month, a Tycoon Ransomware targeting Windows and Linux Systems. This ransomware targeting all small to medium size organizations, Institutions in education and software industries since at least December 2019 where threat actors would proceed to encrypt file servers and demands a ransom.

On 04 June 2020, The new Avaddon Ransomware has come into highlight which is targeting users worldwide through a massive spam campaign. Avaddon is actively recruiting hackers and malware distributors to spread the ransomware by any means possible. Also, a new variant of ransomware, EvilQuest targeting Mac users and steals sensitive data from their device.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.

0/Comments

Previous Post Next Post