- Sophos identified a new ransomware variant called WantToCry that remotely encrypts files after exfiltration, reducing detection opportunities
- The attackers exploit exposed SMB services with weak credentials and then overwrite victim files with encrypted versions
- Ransom demands are unusually low, between $600 and $1,800, reflecting limited scale and lack of broad network influence
Security researchers Sophos observed a new ransomware variant called WantToCry, which, thanks to its encryption mechanism, is much harder to spot than traditional encryptions.
In an in-depth analysis, Sophos said the attackers would first use scanners such as Shodan or Censys to look for Internet-connected devices using the Server Message Block (SMB) service.
SMB is a network file sharing protocol that lets computers access files and other resources over a local area network as if they were on their own system. It is widely used in Microsoft Windows environments to enable shared drives and network authentication and allows applications to manipulate files on remote servers.
Asking for hundreds instead of millions
After finding SMB services with open TCP ports 139 and 445, they would try default, frequently used, and otherwise weak credentials until they worked and allowed access.
But once inside, WantToCry doesn’t do what encryptions usually do, locking files locally. Instead, they exfiltrate them first and do the encryption part on an external server. They would then redistribute the encrypted files back to the victim’s devices, overwriting them and rendering them unusable without the decryption key.
This process makes defenders’ jobs that much harder:
“The detection surface is significantly reduced because WantToCry operates without local malware execution and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk,” Sophos explained.
Another aspect where WantToCry stands out is the ransom demand. Normally, cybercriminals would demand tens of thousands of dollars for the decryption key, which runs into millions for corporate victims. Here, however, they would ask between 600 and 1,800 kroner.
“These amounts are low compared to traditional ransom demands and likely reflect the limited scope of ransomware deployment,” Sophos added. “There is no post-intrusion activity in WantToCry attacks – that is, there is no positioning of the ransomware for maximum impact across a compromised environment. Therefore, in many cases it is likely that the encryption only occurs on files stored on the host that has exposed SMB services to the Internet.”
Sophos also said the WantToCry operators do not have a website and do not currently list their victims.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
