A new ransomware comes into limelight which is trying to worm its way onto other Windows computers by infecting USB flash drives and using Windows shortcuts (LNK files) posing as the target’s files to tempts them into infecting themselves.
The Try2Cry ransomware was discovered by Karsten Hahn (Malware Analyst at G DATA) when a detection signature designed to spot USB worm components got triggered while analyzing an unidentified malware sample. Try2Cry is a .NET ransomware and also an another variant of the open-source stupid ransomware family
Ten other Try2Cry ransomware samples were found by the security researcher on VirusTotal while hunting down for a variant that wasn’t obfuscated to make the analysis easier, some of them also lacking the worm component.
Decryptable ransomware with a failsafe
After infecting a device, Try2Cry ransomware encrypt .doc, .jpg, .ppt, .xls, .docx, .pdf, .pptx, .xls, and .xlsx files, appending a .Try2Cry extension to all encrypted files. The victims’ files are encrypted using the Rijndael symmetric key encryption algo and a hardcoded encryption key.
Encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash. The IV creation is almost identical to key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash.
Try2Cry’s developer has also included a failsafe within the ransomware’s code designed to skip the encryption on any infected systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names. This is most probably a safeguard measure designed to allow malware’s creator to test the ransomware on his own devices without risking inadvertently locking his own files.
Worming its way through USB devices
The most interesting feature of Try2Cry is its capability to infect and attempt to spread to other potential victim’s devices via USB flash drives. Try2Cry first looks for any removable devices like pendrives and harddrives connected to the compromised computer and it will send a copy of itself named Update.exe to the root folder of each USB device it finds.
Next, it will hide all files on the removable device and will replace them with Windows shortcuts (LNK files) with the same icon. When victim clicked, all these shortcuts will open the original file and will also launch the Update.exe Try2Cry ransomware payload in the background.
This ransomware also creates visible copies of itself on the USB drives, using the default Windows icon folder with Arabic names, in the hope that’s curious victims will click on them and infect themselves. TryCry’s ransomware windows shortcuts also feature the arrows on the side of the shortcut icons which makes it a lot easier to spot after infecting a USB flash drive.
Try2Cry ransomware is also decryptable, a sure sign that it was also created by someone with very little programming experience.