SophosLabs found that WantToCry ransomware abuses internet-exposed SMB services to gain access, exfiltrate files, and encrypt them remotely without executing local malware. The campaign uses weak authentication and targeted SMB traffic, with ransom notes demanding small payments and infrastructure spread across multiple countries. #WantToCry #SMB #CryptoGuard #Shodan #Censys
Keypoints
- WantToCry uses exposed SMB services for initial access.
- The attackers exfiltrate files and encrypt them on attacker-controlled infrastructure.
- No local malware execution makes detection much harder for EDR and antivirus tools.
- SophosLabs observed ransom notes named !Want_To_Cry.txt and low ransom demands.
- Defenses should block SMB exposure, remove weak access, and monitor file content changes.
Read More: https://www.sophos.com/en-us/blog/wanttocry-ransomware-remotely-encrypts-files