Pierluigi Paganini July 04, 2020

A new piece of ransomware dubbed Try2Cry leverages infected USB flash drives and Windows shortcuts (LNK files) to infect other Windows systems.

A new ransomware dubbed Try2Cry implements wormable capabilities to infect other Windows systems by using USB flash drives or Windows shortcuts (LNK files).

The Try2Cry ransomware was discovered by the malware researcher Karsten Hahn while analyzing an unidentified malware sample.

The expert was testing detection signatures of the company product, when one of them written to check for a USB worm component implemented in some variants of .NET based RATs triggered an alert. The expert discovered an unidentified .NET ransomware that seemed familiar to hit.

Hann wrote Yara rules to find other samples uploaded to VirusTotal and was able to analyze a sample obfuscated with the DNGuard code protection tool.

The researcher identified the sample as being a variant of the “Stupid” ransomware family after a private conversation with the malware researcher Michael Gillespie.

“Indeed, I found 10 more Try2Cry samples, none of which had DNGuard protection. Some of those samples have the worm component, some of them don’t. A few of them have Arabic ransom notes. All of them append .Try2Cry to encrypted files.” reads the analysis published by the expert.

The malware uses the Rijndael alghorithm and the encryption password is hardcoded. The encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash.

Try2Cry ransomware targets multiple file types, including .doc, .ppt, .jpg, .xls, .pdf, .docx, .pptx, .xls, and .xlsx files, and appends a .Try2Cry extension to all encrypted files.

The victims’ files are encrypted using the Rijndael symmetric key encryption algorithm and a hardcoded encryption key.

The expert noticed that the ransomware will not encrypt systems with names DESKTOP-PQ6NSM4 and IK-PC2, which are believed to be the names of the malware developer’s machines and were used to test the malware.

Try2Cry’s developer has also included a failsafe within the ransomware’s code designed to skip encryption on any infected systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names.

Try2Cry outstands for its capability to attempt to spread to other potential victims’ devices via USB flash drives.

It uses a technique that is similar to the one used by the Spora ransomware and the Spora, Dinihou, or Gamarue malware.

Try2Cry ransomware searches for any removable drives connected to the compromised machine, then it will save a copy of itself named Update.exe to the root folder of each USB flash drive it finds.

Next, the ransomware will hide all files on the removable drive and will replace them with Windows shortcuts (LNK files) with the same icon.

Upon clicking the links, the original file is opened along with the Update.exe Try2Cry ransomware payload in the background.

The ransomware also creates visible copies of itself on the USB drives, using the default Windows icon folder and Arabic names in the attempt to trick victims into clicking on them.

“Unlike Spora there are tell-tale signs of the USB drive infection, like the arrow in the corner of the shortcut icons and the additional Arabic executables.” continues the expert.

The good news is that like other variants of the Stupid ransomware variants, victims of the Try2Cry ransomware could decrypt their files for free.

Pierluigi Paganini

(SecurityAffairs – hacking, Try2Cry ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]