Geeks for your information Security Security Vendors G Data G DATA Security Blog v
Try2Cry: Ransomware tries to worm
Try2Cry: Ransomware tries to worm
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 16,007
Threads: 10,205
Thanks Received: 9,321 in 7,467 posts
Thanks Given: 10,258
Joined: 12 September 18
#1
Bug  08 July 20, 06:54
Quote:
[Image: G_DATA_Blog_USB_Single_Header.jpg]

Try2Cry ransomware adopts USB flash drive spreading using LNK files. The last ransomware that did the same was the infamous Spora. The code of Try2Cry looks oddly familiar, though.

A big portion of my work as malware analyst at G Data is writing detection signatures for our product. One of those signatures checks for a USB worm component that I have seen in certain variants of .NET based RATs like njRAT and BlackNet RAT. When this worm signature hit on an unidentified sample (1), I got curios. It was a .NET ransomware that seemed oddly familiar to me. I couldn’t put a finger on it yet.

Initial static analysis

The ransomware (1) contains the following image in its .NET resources and a ransom note in the strings listing.

The strings listing indicates
  • DNGuard was used to protect the sample
  • .Try2Cry extension is appended to encrypted files
  • Contact email is [url=javascript:linkTo_UnCryptMailto(%27jxfiql7Qov%5C%2F%40ovXFkabx%2Bfkcl%27);]Try2Cry@Indea.info[/url]
The sample crashed upon running and removing the DNGuard protection seemed very tedious. It also seems to be a trial version of DNGuard. So I used an old trick that I have up my lazy-analyst sleeves and made a Yara hunt rule to obtain similar samples on VirusTotal. As the malware developers often test their samples on Virustotal with and without certain protection features applied, you can usually find unprotected ones.

Indeed, I found 10 more Try2Cry samples, none of which had DNGuard protection. Some of those samples have the worm component, some of them don’t. A few of them have Arabic ransom notes. All of them append .Try2Cry to encrypted files.

Identifying the ransomware family

In private conversation with Michael Gillespie, he identified the sample as being a variant of the “Stupid” ransomware family. By the way: This name was given by the malware authors themselves and is not a mocking from our side.

“Stupid” is an open source ransomware on Github that has numerous variants. This explains the familiarity I felt while seeing the sample.

The following analysis is mainly based on sample (2) and sample (3). Sample (2) has a slight obfuscation. Sample (3) has no worm component but also no obfuscation, making it a better candidate for code based screenshots. This sample (3) also uses Arabic ransom notes and a different contact email: info@russianvip.io
...
Continue Reading
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Microsoft Confirms Windows 11 24H2/25H2 ...
Microsoft has offici...schreckdeividas — 08:52
AntGROUP Inc. / VCap-developer
Ant Download Manager...jasonX — 05:33
Brave 1.88.132 (Chromium 146.0.7680.80)
Release v1.88.132 ...harlan4096 — 17:56
Windows 7 Gets a Modern Makeover in New ...
A new concept vide...harlan4096 — 17:55
Microsoft Releases Emergency Windows 11 ...
Microsoft has rele...harlan4096 — 17:53

[-]
Birthdays
Today's Birthdays
avatar (33)uteluxix
avatar (47)piafcflene
avatar (39)Matthewkah
Upcoming Birthdays
avatar (44)gapedDow
avatar (38)snorydar
avatar (43)Hectorvot
avatar (51)knowhanPluts
avatar (39)Williamengiz
avatar (46)qaqapeti
avatar (44)battsourIonix
avatar (43)CedricSek
avatar (38)Charlesfibre
avatar (38)francisnj3
avatar (43)artmaGoork

[-]
Online Staff
There are no staff members currently online.

>