Key Takeaways
- WantToCry is a novel ransomware that steals data first, encrypts copies on a remote server, and then returns the encrypted files to the victim, making recovery nearly impossible.
- The malware primarily targets systems exposing SMB services (TCP 139/445) with weak or stolen credentials.
- Attackers use internet‑scanning tools such as Shodan and Censys to locate vulnerable hosts before attempting credential‑based intrusion.
- Ransom demands are relatively low ($600–$1,800), suggesting the campaign may be in an early testing phase.
- Defenders should harden SMB, disable unnecessary open ports, enforce strong passwords and MFA, maintain regular backups, and monitor network traffic continuously.
Overview of WantToCry
Sophos researchers have identified a new ransomware variant dubbed “WantToCry” that deviates from traditional ransomware tactics. Rather than encrypting files directly on the infected machine, WantToCry first exfiltrates sensitive data to a remote attacker‑controlled server, encrypts the copied files there, and then transfers the encrypted versions back to the victim’s system. This two‑stage process leaves the original data already stolen, so even if a decryption key is supplied, victims cannot restore their untouched files. The approach significantly raises the stakes of a ransomware infection, combining data theft with extortion in a single campaign.
Technical Workflow of WantToCry
After gaining access to a host, the malware begins an exfiltration phase, gathering valuable documents, databases, and other sensitive files and uploading them to a command‑and‑control (C2) server under the attackers’ control. On that server, the ransomware creates exact duplicates of the stolen data and encrypts them using its own cryptographic routine. The encrypted copies are then streamed back to the compromised machine, overwriting or replacing the original files. Because the encryption never occurs locally, victims lack the typical artifacts (e.g., local encryption keys or ransom notes dropped on disk) that would aid forensic recovery, and the attackers retain the plaintext data for potential double‑extortion or resale.
Attack Vector: Exploiting SMB Services
The initial foothold for WantToCry is almost always an exposed Server Message Block (SMB) service. SMB is a legacy file‑sharing protocol prevalent in Windows environments, enabling seamless access to remote files and printers. When SMB ports (TCP 139 and TCP 445) are left open to the internet without proper segmentation or authentication, they become an attractive entry point for threat actors. Sophos notes that the attackers specifically hunt for devices where SMB is reachable and protected only by weak, default, or stolen login credentials, allowing them to log in as legitimate users.