Rewterz Threat Alert – Try2Cry Ransomware – IOCs

Severity

High

Analysis Summary

A new ransomware family, dubbed Try2Cry, that appears to be a variant of the Stupid ransomware family. Various samples were analyzed with the main differences being in the level of obfuscation, use of DNGuard, and use of a worm component. The ransomware targets various user documents with Rijndael encryption using a hardcoded password. It operates as most ransomware families, iterating over files to encrypt them and leaving a ransom note on the system after completion. A more noteworthy aspect of some of the samples of this ransomware is a worming component. During execution, it looks for removable devices on the system. If any are found, it drops a hidden copy of itself onto the drive, hides all files on the device, and replaces those files with Windows Shortcuts using the same icon that instead points to the ransomware executable. Visible copies of itself and with Arabic file names are also placed on the drive in an attempt to trick the user into opening them. The researchers note that a decryptor is available for the Stupid ransomware family that also works on Try2Cry samples.

Impact

File encryption

Indicators of Compromise

SHA-256

• f6521e298c849c14cd0a4d0e8947fa2d990e06d978e89a262e62c968cefd9b8f
• 3786ad08d8dacfa84a0c57b48dfa8921435f5579235d17edc00160e7a86ae1c5
• 590885b5afc3aa1d34720bb758fb2868bb0870557db2110e61397a5364c7f8b3
• 2c5f392767feced770b37fce6b66c1863daab36a716b07f25c5bef0eeafc0b26
• 3b65dbd9b05019aae658c21f7fcb18dd29eea1555cc26c3fa12b9aa74ea55b88
• 8594533a7544fa477e5711d237ccac7f4a62c2c847465ccea3cfdb414a00a397
• cefb7262229b0053daf3208f7adc7d4fb4edaf08944a9b65d7eb1efaa3128296
• dd036085f8220d13c60f879ff48ccf6c7d60893217fc988ae64d2ee6a4eb3241
• fb621d2c94b980d87a8aa3239ebeda857a2fcb29f5aac08facacdc879f9ce784
• fd24367e7a71bce4435fb808f483e0466df60e851fd05eed9c2fd838404e7a9d

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.