- Sophos identified a new ransomware variant called WantToCry that remotely encrypts files after the breach, reducing opportunities for detection.
- Attackers exploit exposed SMB services with weak credentials and then overwrite victims’ files with encrypted versions.
- Ransom demands are unusually low, between $600 and $1,800, reflecting limited reach and lack of broad network impact.
Security researchers at Sophos observed a new ransomware variant called WantToCry that, thanks to its encryption mechanism, is much harder to detect than traditional encryptors.
In an in-depth analysis, Sophos said that attackers would first use scanners such as Shodan or Censys to search for devices connected to the Internet using the Server Message Block (SMB) service.
SMB is a network file sharing protocol that allows computers to access files and other resources over a local network as if they were on their own system. It is widely used in Microsoft Windows environments to enable shared drives and network authentication, and allows applications to manipulate files on remote servers.
Asking for hundreds instead of millions
After finding SMB services with TCP ports 139 and 445 open, they would try default, frequently used, and weak credentials until they worked and granted access.
However, once inside, WantToCry doesn’t do what encryptors usually do: lock files locally. Instead, they extract them first and perform the encryption part on a remote server. After that, they would redeploy the encrypted files to the victim’s devices, overwriting them and rendering them useless without the decryption key.
This process makes the defenders’ job much more difficult:
“The detection surface is significantly reduced because WantToCry works without local malware execution and there is no post-compromise activity beyond extracting files and writing them back to disk,” Sophos explained.
Another aspect in which WantToCry stands out is the ransom demand. Typically, cybercriminals would demand tens of thousands of dollars for the decryption key, reaching millions for business victims. Here, however, they would ask for between $600 and $1,800.
“These amounts are low compared to traditional ransom demands and likely reflect the limited scope of the ransomware deployment,” Sophos added. “There is no post-intrusion activity in WantToCry attacks, that is, there is no ransomware position to achieve maximum impact in a compromised environment. Therefore, it is likely that in many cases the encryption occurs only on the files stored on the host that exposed the SMB services to the Internet.”
Sophos also said that WantToCry operators do not have a website and do not currently list their victims.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
