G Data security researchers have identified a new family of ransomware that uses infected USB drives to attempt spread.
The new piece of ransomware, Dubbed Try2Cry, borrows functionality from Spora, which first emerged three years ago. Written in. NET, Try2Cry features a similar USB worm component to that observed in the Trojan remote access njRAT beforehand.
The latest piece of ransomware appears linked to the ransomware family “stupid” which is available on GitHub in open source.
Security researchers from G Data discovered several Try2Cry samples during their investigation, including some that don’t pack up the worm part. They also found out the malware is using Rijndael, AES’ predecessor, for encryption.
“Password encryption is hard coded. Calculating a SHA512 hash of the password and using the first 32 bits of this hash produces the encryption key (see image below). The IV development is almost identical to the key, but it uses the same SHA512 hash’s next 16 bits (indices 32-47),’ the researchers explain.
The technique employed by the worm portion is identical to that used by Spora, Dinihou or Gamarue: the malware scans for any attached removable drives, hides a copy of itself in the root folder (a file called Update.exe), then hides all files on the drive and replaces them with non-hidden LNK files (shortcuts) pointing to both the original file and Update.exe.
The ransomware would also place visible copies of themselves featuring Arabic names (they translate to Very special, Important, passwords, a stranger, and The Five Origins), trying to lure users into launching them.
Despite these efforts, due to the shortcut icons used for the LNK files, and the Arabic executables, G Data points out, the USB drive infection is very easy to find. In addition, files encrypted with this ransomware are decryptable, since the malware appears to be “just one of many variants of copy & paste ransomware created by criminals that can hardly program,” concludes G Data.