Try2Cry: New ransomware with worm function infects Windows systems

It copies itself to removable media. There Try2Cry replaces all saved files with LNK files with their file names. The links then start the copy of the ransomware.

G Data warns of a new ransomware for Windows. The malware called Try2Cry has an additional worm function to infect other systems outside of a network. For this purpose, the ransomware copies itself to USB drives.

Ransomware (Image: Shutterstock / Image Editing: is a .NET based ransomware and also a variant of the Stupid family. This was the result of an investigation by Karsten Hahn, malware analyst at G Data.

After the ransomware has infected a device, it goes to its actual destination and encrypts various file formats, including Word documents, Excel spreadsheets and PowerPoint presentations, but also PDF files and photos. The symmetrical Rijndael encryption algorithm with a hard-coded encryption key is used for encryption. The latter is created from the first 32 bits of the SHA512 hash of the password.

The code also contains exceptions for Windows systems with certain computer names. Their files are not encrypted. Bleeping Computer suspects that these are the names of the computers behind the Try2Cry team, to ensure that they do not accidentally encrypt their own computers.

Try2Cry differs from other ransomware mainly by the worm function. The malware searches for external drives and stores a copy of it there under the name “Update.exe”. It also hides all files stored on the drive and replaces them with Windows shortcuts (.lnk) with the same file symbol. However, double-clicking does not open the file expected by the user – instead, the link points to Update.exe, which means that Try2Cry is installed in the background.

In contrast to the ransomware Spora, which also spreads via USB drives, Try2Cry uses file symbols that have the arrow typical for shortcuts in the lower left corner. This makes it easier to identify tampering with a USB stick. In addition, the ransomware adds additional copies of itself to the removable storage device, the file names of which consist of Arabic characters, which should cause astonishment especially for users who do not speak Arabic.

G Data believes that the backers of Try2Cry are not savvy malware authors. This not only suggests the open source ransomware Stupid that they used to develop Try2Cry. According to G Data, it is possible to decrypt encrypted files with the new ransomware without paying a ransom.

Leave a Reply

Your email address will not be published. Required fields are marked *