Ransomware tries to worm

Encryption

Try2Cry targets files with the following extensions:

*.doc,*.ppt,*.jpg,*.xls,*.pdf,*.docx,*.pptx,*.xls,*xlsx

The encryption method uses Rijndael, the predecessor of AES. The encryption password is hardcoded. The encryption key is created by calculating a SHA512 hash of the password and using the first 32 bits of this hash (see left picture below). The IV creation is almost identical to the key, but it uses the next 16 bits (indices 32-47) of the same SHA512 hash (see right picture below).

Continue reading

This post was originally published on this site