- Sophos identified a new ransomware variant called WantToCry that encrypts files remotely after exfiltration, reducing detection opportunities
- The attackers exploit exposed SMB services with weak credentials, then overwrite victim files with encrypted versions
- Ransom demands are unusually low, between $600 and $1,800, reflecting limited scope and lack of broad network impact
Security researchers Sophos observed a new ransomware variant called WantToCry which, thanks to its encryption mechanism, is a lot more difficult to spot than traditional encryptors.
In an in-depth analysis, Sophos said the attackers would first use scanners such as Shodan or Censys to look for internet-connected devices using the Server Message Block (SMB) service.
SMB is a network file-sharing protocol that lets computers access files and other resources over a local network as if they were on their own system. It is widely used in Microsoft Windows environments to enable shared drives and network authentication, and allows applications to manipulate files on remote servers.
Asking for hundreds instead of millions
After finding SMB services with open TCP ports 139 and 445, they would try default, frequently used, and otherwise weak credentials until they worked and granted access.
However, once inside, WantToCry doesn’t do what encryptors usually do and lock down files locally. Instead, they first exfiltrate them, and do the encrypting part on a remote server. After that, they would redeploy the encrypted files back to the victim devices, overwriting them and rendering them useless sans the decryption key.
This process makes the defenders’ work that much harder:
“The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk,” Sophos explained.
Another aspect in which WantToCry stands out is the ransom demand. Usually, cybercriminals would demand tens of thousands of dollars for the decryption key, going into millions for enterprise victims. Here, however, they would ask between $600 and $1,800.
“These amounts are low compared to traditional ransom demands and likely reflect the limited scope of the ransomware deployment,” Sophos added. “There is no post-intrusion activity in WantToCry attacks — that is, there is no positioning of the ransomware for maximum impact across a compromised environment. Therefore, it is likely that in many cases the encryption occurs only on files stored on the host that exposed SMB services to the internet.”
Sophos also said that the WantToCry operators don’t have a website and are not currently listing their victims.
