Ransomware attacks are unprecedentedly rising during COVID times. The increase in such attacks is rampant and involves advanced and highly notorious techniques. But all attacks do not fall in the same severity level. Recently, a seemingly “dangerous” ransomware is traced by researchers at G Data security called Try2Cry. Interestingly, the malware belongs to the “Stupid” ransomware family, as it does justice to this adjective. The ransomware uses USB drives to expand its sprawl to compromise more systems and encrypts typical data files on the host system using Rijndael encryption.
This recently traced open-source ransomware is written in .NET with its functionalities resembling Spora, which made an appearance three years ago. The ransomware has a worm component which allows it to spread quickly to Windows systems through USB devices. This feature appeared in the njRAT remote access trojan.
Furthermore, researchers at G Data security found that this new piece of ransomware is a member of the “Stupid” Ransomware Family, which is confused with DNGuard protection tool. Interestingly, there are different codes of the ransomware available on GitHub to let developing black hat hackers use them. Stupid Ransomware Family variants are usually coded by less skilled developers and thus is called so by the threat actors themselves. They continually employ law enforcements and pop culture themes.
Researchers investigated several samples of the Try2Cry ransomware, including some which do not feature the worm component. They also discovered that the ransomware uses Rijndael, the predecessor of AES, for encrypting files on the host systems.
Compromising systems, accessing and encrypting files( with extension .try2Cry) and using them in exchange for commission fees is the prime attack strategy of Try2Cry Stupid ransomware.
Worming Through USB Drives
The virus is disseminated by various ways including spear-phishing, cracks, keygens, fake software updates etc. But the distinguishing feature of this new piece of ransomware is its ability to spread through USB drives. Try2Cry is attributed to the category of USB worm.
The tactics employed through the worm component is similar to that of Spora, Dinihou or Gamarue: the virus searches for any connected USB drive and injects its ransomware copy(with the name Update.exe) in the devices. It hides its copy in the root folder of the drive and then also hides all the files present in the removable device. Windows shortcuts (LNK files) are used to replace the hidden files that point to both the original and the Update.exe.
Try2Cry ransomware virus also places visible copies of itself with Arabic names to lure victims to open them. Google translates Arabic names to:
The Five Origins
When a user clicks on the impersonating files the virus gets activated and the payload starts in the background.
The Arabic names to files is a dead giveaway for targets who don’t speak Arabic.
Encryption with a failsafe
The ransomware once triggered, runs cipher and locks files with extensions: .doc, .ppt, .jpg, .xls, .pdf, .docx, .pptx, .xls, and .xlsx, with an appending extension of .try2cry. Due to a less efficient code, the virus can not encrypt every file.
The ransomware uses the Rijndael symmetric key encryption algorithm and SHA512 hash of the password to lock the data. Once encrypted, the victim sees a ransom note with no information about the ransom about or time but only threat actor’s email address and a unique key.
The Try2Cry developers included a failsafe to skip encryption in systems with DESKTOP-PQ6NSM4 or IK-PC2 machine names. This is probably to allow threat actors to run the tool on their system without inadvertently locking their system files.
Like other Stupid Ransomware variants, Try2Cry is also decryptable which indicates that it was developed by cyber crooks with little programming experience.
Mitigations and Preventions
Researchers conceit Try2Cry ransomware as a poorly coded malware with less efficient functionalities. Furthermore, the encrypted files are decryptable which indicates that it is just another “copy&paste” malware created by criminals who can barely program. Nevertheless, this doesn’t reduce the risks of data loss.
Never click on suspicious files in removable drives. As these can pose potential threats to your data and system. Always scan the plugged in drives to ensure safety.
Beware when the system prompts for a software update or file download. This is a prominent technique used by cybercriminals to penetrate machines.
If your system is infected by Try2cry ransomware, firstly scan your system with a professional and genuine antivirus utility as it can further spread through removable devices. It is advisable to perform a full virus elimination in Safe Mode with Networking. Use a Reimage utility to recover Windows. Then after successfully removing the virus, decrypt your files using Stupid decryption tool for free.
Stay safe, Stay Updated!