- Sophos has identified a new ransomware variant called WantToCry that encrypts files remotely after exfiltration, reducing opportunities for detection.
- Attackers exploit exposed SMB services with weak credentials and then overwrite victims’ files with encrypted versions.
- Ransom demands are unusually low, between $600 and $1,800, reflecting limited reach and a lack of large-scale network impact.
Sophos security researchers have observed a new ransomware variant called WantToCry that, thanks to its encryption mechanism, is much harder to spot than traditional encryptors.
In an in-depth analysis, Sophos said attackers would first use scanners such as Shodan or Censys to search for internet-connected devices using the Server Message Block (SMB) service.
SMB is a network file sharing protocol that allows computers to access files and other resources on a local network as if they were on their own system. It is widely used in Microsoft Windows environments to enable shared drives and network authentication, and allows applications to manipulate files on remote servers.
Ask for hundreds instead of millions
After finding SMB services with open TCP ports 139 and 445, they would try the default, frequently used and otherwise weak credentials until they worked and granted access.
However, once inside, WantToCry does not do what encryptors usually do and locks files locally. Instead, they exfiltrate them first and do the encryption part on a remote server. After that, they would redeploy the encrypted files to the victim devices, overwriting them and rendering them useless without the decryption key.
This process makes the defenders’ job even more difficult:
“The detection surface area is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and writing them back to disk,” Sophos explained.
Another aspect in which WantToCry stands out is the ransom demand. Usually, cybercriminals demand tens of thousands of dollars for the decryption key, or even millions for victim companies. Here, however, they would charge between $600 and $1,800.
“These amounts are small compared to traditional ransom demands and likely reflect the limited scope of the ransomware deployment,” Sophos added. “There is no post-intrusion activity in WantToCry attacks, that is, there is no positioning of the ransomware for maximum impact in a compromised environment. Therefore, it is likely that in many cases encryption occurs only on files stored on the host that exposed SMB services to the Internet.”
Sophos also said that the WantToCry operators do not have a website and do not currently list their victims.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
