Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Try2Cry: Ransomware tries to worm
#1
Bug 
Quote:
[Image: G_DATA_Blog_USB_Single_Header.jpg]

Try2Cry ransomware adopts USB flash drive spreading using LNK files. The last ransomware that did the same was the infamous Spora. The code of Try2Cry looks oddly familiar, though.

A big portion of my work as malware analyst at G Data is writing detection signatures for our product. One of those signatures checks for a USB worm component that I have seen in certain variants of .NET based RATs like njRAT and BlackNet RAT. When this worm signature hit on an unidentified sample (1), I got curios. It was a .NET ransomware that seemed oddly familiar to me. I couldn’t put a finger on it yet.

Initial static analysis

The ransomware (1) contains the following image in its .NET resources and a ransom note in the strings listing.

The strings listing indicates
  • DNGuard was used to protect the sample
  • .Try2Cry extension is appended to encrypted files
  • Contact email is [url=javascript:linkTo_UnCryptMailto(%27jxfiql7Qov%5C%2F%40ovXFkabx%2Bfkcl%27);]Try2Cry@Indea.info[/url]
The sample crashed upon running and removing the DNGuard protection seemed very tedious. It also seems to be a trial version of DNGuard. So I used an old trick that I have up my lazy-analyst sleeves and made a Yara hunt rule to obtain similar samples on VirusTotal. As the malware developers often test their samples on Virustotal with and without certain protection features applied, you can usually find unprotected ones.

Indeed, I found 10 more Try2Cry samples, none of which had DNGuard protection. Some of those samples have the worm component, some of them don’t. A few of them have Arabic ransom notes. All of them append .Try2Cry to encrypted files.

Identifying the ransomware family

In private conversation with Michael Gillespie, he identified the sample as being a variant of the “Stupid” ransomware family. By the way: This name was given by the malware authors themselves and is not a mocking from our side.

“Stupid” is an open source ransomware on Github that has numerous variants. This explains the familiarity I felt while seeing the sample.

The following analysis is mainly based on sample (2) and sample (3). Sample (2) has a slight obfuscation. Sample (3) has no worm component but also no obfuscation, making it a better candidate for code based screenshots. This sample (3) also uses Arabic ransom notes and a different contact email: info@russianvip.io
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>