Heads up Windows users! Be careful while connecting random USB flash drives to your Windows PCs as the new Try2Cry ransomware is around. The ransomware bears wormable capabilities to spread laterally via flash drives or Windows shortcut (LNK) files.
Try2Cry Ransomware Targeting Windows
Researchers have caught a new Windows ransomware active in the wild. Dubbed Try2Cry, the ransomware exhibits the wormable capability to infect other systems.
Sharing the analysis in a post, the researcher Karsten Hahn revealed that the malware is a variant of Stupid ransomware. It reaches target devices via infected USB flash drives or via Windows shortcut (.lnk) files.
Researchers could identify numerous samples of this ransomware, some with wormable capabilities, and some lacking it. All of them add .Try2Cry extension to files names after encryption.
As for encryption, the malware employs Rijndael algorithm with a hardcoded encryption key. It scans various file extensions for encryption, including .doc, .xls, .ppt, .jpg, .xlsx, .docx, .pptx, .xls, and .pdf.
Moreover, the ransomware includes the exception of machine names DESKTOP-PQ6NSM4 or IK-PC2 for infection.
Wormable Capabilities of Try2Cry
Whereas, for wormability, the malware employs techniques similar to the Spora, Dinihou or Gamarue ransomware. It scans for removable drives and places a copy of itself as ‘Update.exe’ in the root folder of the device. It then hides all original files replacing them with non-original Windows Shortcut files bearing the same icons.
Besides hidden files, the malware also places visible files in the device with folder icons and Arabic names. This looks like a possible attempt to lure the user into clicking the file.
Though, what’s positive with this ransomware is that its files are decryptable. The researchers believe that the threat actors may have simply applied copy-paste to create this variant.
Nonetheless, users must stay very careful while attaching flash drives to their systems from external sources to avoid any mishap.