08 July 20, 06:54
Quote:Continue Reading
Try2Cry ransomware adopts USB flash drive spreading using LNK files. The last ransomware that did the same was the infamous Spora. The code of Try2Cry looks oddly familiar, though.
A big portion of my work as malware analyst at G Data is writing detection signatures for our product. One of those signatures checks for a USB worm component that I have seen in certain variants of .NET based RATs like njRAT and BlackNet RAT. When this worm signature hit on an unidentified sample (1), I got curios. It was a .NET ransomware that seemed oddly familiar to me. I couldn’t put a finger on it yet.
Initial static analysis
The ransomware (1) contains the following image in its .NET resources and a ransom note in the strings listing.
The strings listing indicatesThe sample crashed upon running and removing the DNGuard protection seemed very tedious. It also seems to be a trial version of DNGuard. So I used an old trick that I have up my lazy-analyst sleeves and made a Yara hunt rule to obtain similar samples on VirusTotal. As the malware developers often test their samples on Virustotal with and without certain protection features applied, you can usually find unprotected ones.
- DNGuard was used to protect the sample
- .Try2Cry extension is appended to encrypted files
- Contact email is [url=javascript:linkTo_UnCryptMailto(%27jxfiql7Qov%5C%2F%40ovXFkabx%2Bfkcl%27);]Try2Cry@Indea.info[/url]
Indeed, I found 10 more Try2Cry samples, none of which had DNGuard protection. Some of those samples have the worm component, some of them don’t. A few of them have Arabic ransom notes. All of them append .Try2Cry to encrypted files.
Identifying the ransomware family
In private conversation with Michael Gillespie, he identified the sample as being a variant of the “Stupid” ransomware family. By the way: This name was given by the malware authors themselves and is not a mocking from our side.
“Stupid” is an open source ransomware on Github that has numerous variants. This explains the familiarity I felt while seeing the sample.
The following analysis is mainly based on sample (2) and sample (3). Sample (2) has a slight obfuscation. Sample (3) has no worm component but also no obfuscation, making it a better candidate for code based screenshots. This sample (3) also uses Arabic ransom notes and a different contact email: info@russianvip.io
...