A ransomware called Try2Cry is penetrating Windows computers via USB flash drives and using Windows shortcuts to pose as the targets’ files to lure them into infecting themselves. Try2Cry ransomware was discovered by G DATA malware analyst Karsten Hahn, when a detection signature designed to identify USB worm components was activated during the analysis of an unidentified malware sample.
Try2Cry is a .NET ransomware and a variant of the open-source Stupid ransomware family. Stupid ransomware variants are thought to be created by less skilled malware developers and regularly use law enforcement or pop culture themes.
After infecting a computer, the Try2Cry ransomware will encrypt .doc, .ppt, .jpg, .xls, .pdf, .docx, .pptx, .xls, and .xlsx files, appending a .Try2Cry extension to the encrypted files. The files are encrypted using the Rijndael symmetric key encryption algorithm as well as a hardcoded encryption key.
Also, Try2Cry ransomware employs a failsafe within the ransomware’s code, which skips encryption on any infected systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names. This is likely a safeguard designed to prevent the malware’s creator from locking his own files while testing the ransomware on his own devices.
Try2Cry Ransomware Spreads via USB Flash Drives
Try2Cry ransomware has the ability to infect and spread to other devices via USB flash drives. It does so using a similar technique to that used by the Spora and Andromeda malware strains. Try2Cry ransomware first looks for any removable drives connected to the computer, and then it sends a copy of itself named Update.exe to the root folder of each USB flash drive it locates.
Next, Try2Cry ransomware hides all of the files on the removable drive and replaces them with Windows shortcuts or LNK files, with the same icon. When clicked on, these shortcuts open the original file and launch Try2Cry ransomware’s Update.exe in the background.
Luckily, another similarity between Try2Cry ransomware and other Stupid ransomware variants is that Try2Cry ransomware is also decryptable, a telling sign that it may have been created by someone with very little programming experience and will hopefully be eradicated in the not too distant future.
