Security Experts:

Connect with us

Hi, what are you looking for?



Try2Cry Ransomware Spreads via USB Drives

G Data security researchers have identified a new ransomware family that attempts to spread using infected USB drives.

G Data security researchers have identified a new ransomware family that attempts to spread using infected USB drives.

Dubbed Try2Cry, the new piece of ransomware borrows functionality from Spora, which first emerged three years ago. Written in .NET, Try2Cry features a USB worm component similar to that previously observed in the njRAT remote access Trojan.

The new piece of ransomware appears related to the “Stupid” ransomware family, which is available in open-source on GitHub.

During their investigation, G Data’s security researchers discovered multiple Try2Cry samples, including some that do not pack the worm component. They also discovered that the malware uses Rijndael, the predecessor of AES, for encryption.

“The encryption password is hardcoded. The encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash (see left picture below). The IV creation is almost identical to the key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash,” the researchers explain.

The technique employed by the worm component is similar to that of Spora, Dinihou or Gamarue: the malware searches for any connected removable drives, hides a copy of itself in the root folder (a file named Update.exe), then hides all files on the drive and replaces them with non-hidden LNK files (shortcuts) that point to both the original file and Update.exe.

The ransomware would also place visible copies of itself featuring Arabic names (they translate to Very special, Important, passwords, a stranger, and The Five Origins), attempting to lure users into launching them.

Despite these efforts, the infection of the USB drive is rather easy to spot, due to the shortcut icons used for the LNK files, and the Arabic executables, G Data points out. Furthermore, files encrypted with this ransomware are decryptable, given that the malware seems to be “just one of many variants of copy & paste ransomware created by criminals who can barely program,” G Data concludes.

Related: ICS-Targeting Snake Ransomware Isolates Infected Systems Before Encryption

Related: Ransomware Operators Claim They Hacked Printing Giant Xerox

Related: Multi-Platform ‘Tycoon’ Ransomware Uses Rare Java Image Format for Evasion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...