Try2Cry ransomware tries a worm way to infect other Windows computers.

Try2Cry ransomware tries a worm way to infect other Windows computers. It infects USB flash drives by posing itself as Windows LNK shortcut files.

The discovery of Try2Cry ransomware is credited to Karsten Hahn – G DATA malware analyst. While analyzing some unknown malware samples, a detection signature that was designed for spotting USB worm components. This triggered a .NET ransomware.

Also, as Hahn analysed other sample codes that were uploaded to the VirusTotal, then was able to analyse a sample code obfuscated within the DNGuard code protection tool. The researcher found it to be a variant of Stupid ransomware family, that is an open-source ransomware that is easily available on Github repositories.

“Indeed, I found 10 more Try2Cry samples, none of which had DNGuard protection. Some of those samples have the worm component, some of them don’t. A few of them have Arabic ransom notes. All of them append .Try2Cry to encrypted files.” reads the analysis report published by the expert.

Try2Cry ransomware Encryption Method

Once it gets successful in infecting any device, it encrypts victims files using Rijndael symmetric key encryption algorithm and a hard-coded encryption key.

The Try2Cry ransomware will encrypt .doc, .ppt, .jpg, .xls, .pdf, .docx, .pptx, .xls, and .xlsx files, and appends a “.Try2Cry” extension to the files encrypted.

Try2Cry ransom note As analysed in strings listing

Try2Cry ransom note As analysed in strings listing

“The encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash,” Hahn explains further.

“The IV creation is almost identical to the key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash.”

Try2Cry ransomware with a failsafe Code

The researchers have found that the ransomware skips encrypting the systems having names DESKTOP-PQ6NSM4 and IK-PC2. It is believed that they are machine names for the creators of the ransomware.

They might have used it in the testing phase, so that the code will safeguard their machine from encrypting their own data. For this, the authors include a failsafe within the Try2Cry ransomware’s code.

Try2Cry ransomware leverages Worm capabilities to infect USB drives

Unlike other ransomware, which mostly uses spam email as the infection vector to spread among users. Try2Cry uses a different approach by expanding its capabilities. And targeting the potential users and devices via USB flash drives.

Try2Cry ransomware Tries Worm Way To Infect Other Windows systems

Try2Cry ransomware Tries Worm Way To Infect Other Windows systems

However, this technique is not new, and has been used by Spora ransomware along with Dinihou, or Gamarue malware to name a few.

Try2Cry ransomware attempts to infect any USB flash drives that are found to be connected with the compromised machine. If found, it copies itself as “Update.exe” to the root folder of the USB flash drive.

After which, the ransomware hides the original files on the USB drive and replaces them as Windows shortcuts (LNK files) with the same icon.

When the user opens the compromised LNK files, it rather opens the original files with the Update.exe. Thus, the payloads of the Try2Cry ransomware payload are dropped on the machine and executed further.
Additionally, the ransomware tricks the victims by creating visible copies of itself on the USB drives. It uses the default Windows icon folder and Arabic names to make users click on them.

Fortunately, the Try2Cry ransomware is also decryptable, like many other variants of Stupid ransomware. As the malware is programmed by less experienced programmers.

Protect your computer with HitmanPro.Alert Now

While, threat actors can exploit the vulnerabilities any time, so it is necessary to have an active anti-virus protection always running on the system. The best one we recommend is HitmanPro.Alert, that will guard your system against all odds.

HitmanPro.Alert step 4

HitmanPro.Alert step 4

More From Unboxhow