Try2Cry Ransomware

The Try2Cry Ransomware is a file-locking Trojan that encrypts Microsoft Office files and other documents and pictures, to sell its unlocker. Many versions of this Trojan also include a worm component that can spread through USB devices with disguised links. Users should refrain from sharing portable drives until they remove the Try2Cry Ransomware and disinfect all attached USB drives with compatible security software.

Your USB Stick might be Soaking in Reasons for Crying

Although the Wannacryptor Ransomware, AKA 'Wannacry,' isn't as important as it used to be, threat actors with inexperience favor nicknames referring to the infamous Trojan's campaign. A new threat that's both a Trojan with file-locking functions and an optional worm is keeping up this naming convention: the Try2Cry Ransomware. Like the botnets and worms that most often associate themselves with mining or intelligence operations, the Try2Cry Ransomware uses a default spreading mechanism without needing manual help from the attackers.

Many, but not all, versions of the Try2Cry Ransomware propagate through a USB-infecting component. This feature hides the native files on USB storage devices and replaces them with LNK or shortcut files, although there is a minor telltale sign – the icons include an additional arrow. Users launching these shortcuts will install the Try2Cry Ransomware on an uninfected system with the device plugged into it. Also, the Try2Cry Ransomware creates visible shortcuts in Arabic, which shows that its threat actor has minimal interest in evading suspicion or analysis.

The Try2Cry Ransomware's file-locking features are ones that malware experts judge as far more standard for a Trojan of its category. It uses AES or Rijndael for locking files, just like most Ransomware-as-a-Service families. It blocks a handful of formats: JPG pictures, some documents, Excel spreadsheets and PowerPoint presentations. Ransoming remains the goal for this campaign, with the criminals selling a decryption service for file recovery. However, malware experts have yet to collect data on prices or wallet histories.

Keeping Amateur Hackers Crying for Never-Arriving Ransoms

Although the Try2Cry Ransomware includes some obfuscation, the first analyses of its samples show a clear lineage: the Stupid Ransomware, AKA FTSCoder. This freeware Trojan is a sometimes-abused resource for more amateur Trojan campaigns with the same motivations as those of the more-polished RaaSes like the Scarab Ransomware. Fortunately, an enormous difference between the Try2Cry Ransomware's family and the average Ransomware-as-a-Service is the availability of free decryption solutions that can restore the victim's files painlessly, and without a ransom.

Besides practicing generally-good security habits, Windows users can examine their removable drives for characteristics that align with symptoms of the Try2Cry Ransomware infections. The presence of Arabic-named executable, files with additional arrows in their icons, and changes in the available storage space all are visible evidence of infections. While malware experts can't verify the Try2Cry Ransomware's using the AutoPlay feature, the ongoing exploitation of USB sticks makes AutoPlay's casual enabling into a critical safety issue.

Always promptly update anti-malware tools for helping with identifying new threats with the most accuracy that's possible. Additionally, users may scan suspicious files before opening them as a precaution.

Even the smaller players in the threat landscape are always looking for an affordable way to make Bitcoins out of others' indiscretions. The fact that the Try2Cry Ransomware has crucial weaknesses doesn't mean that they'll always be there or that USB security is safe to ignore.