Try2Cry Ransomware Targets Windows Systems As It Spreads Via USB Flash Drives

Heads up Windows users! Be careful while connecting random USB flash drives to your Windows PCs as the new Try2Cry ransomware is around. The ransomware bears wormable capabilities to spread laterally via flash drives or Windows shortcut (LNK) files.

Try2Cry Ransomware Targeting Windows

Researchers have caught a new Windows ransomware active in the wild. Dubbed Try2Cry, the ransomware exhibits the wormable capability to infect other systems.

Sharing the analysis in a post, the researcher Karsten Hahn revealed that the malware is a variant of Stupid ransomware. It reaches target devices via infected USB flash drives or via Windows shortcut (.lnk) files.

Researchers could identify numerous samples of this ransomware, some with wormable capabilities, and some lacking it. All of them add .Try2Cry extension to files names after encryption.

As for encryption, the malware employs Rijndael algorithm with a hardcoded encryption key. It scans various file extensions for encryption, including .doc, .xls, .ppt, .jpg, .xlsx, .docx, .pptx, .xls, and .pdf.

Moreover, the ransomware includes the exception of machine names DESKTOP-PQ6NSM4 or IK-PC2 for infection.

Wormable Capabilities of Try2Cry

Whereas, for wormability, the malware employs techniques similar to the Spora, Dinihou or Gamarue ransomware. It scans for removable drives and places a copy of itself as ‘Update.exe’ in the root folder of the device. It then hides all original files replacing them with non-original Windows Shortcut files bearing the same icons.

Besides hidden files, the malware also places visible files in the device with folder icons and Arabic names. This looks like a possible attempt to lure the user into clicking the file.

Though, what’s positive with this ransomware is that its files are decryptable. The researchers believe that the threat actors may have simply applied copy-paste to create this variant.

Nonetheless, users must stay very careful while attaching flash drives to their systems from external sources to avoid any mishap.

Related posts

Opera Browser Vulnerability Could Allow Exploits Via Browser Extensions

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin