'The detection surface is significantly reduced': Sophos report warns new "WantToCry" ransomware could pose a major risk to your business, here's what we know

News
By published

What happens when the encryption is done elsewhere?

ransomware
(Image credit: ransomware)
  • Sophos identified a new ransomware variant called WantToCry that encrypts files remotely after exfiltration, reducing detection opportunities
  • The attackers exploit exposed SMB services with weak credentials, then overwrite victim files with encrypted versions
  • Ransom demands are unusually low, between $600 and $1,800, reflecting limited scope and lack of broad network impact

Security researchers Sophos observed a new ransomware variant called WantToCry which, thanks to its encryption mechanism, is a lot more difficult to spot than traditional encryptors.

In an in-depth analysis, Sophos said the attackers would first use scanners such as Shodan or Censys to look for internet-connected devices using the Server Message Block (SMB) service.

SMB is a network file-sharing protocol that lets computers access files and other resources over a local network as if they were on their own system. It is widely used in Microsoft Windows environments to enable shared drives and network authentication, and allows applications to manipulate files on remote servers.

Latest Videos From

Asking for hundreds instead of millions

After finding SMB services with open TCP ports 139 and 445, they would try default, frequently used, and otherwise weak credentials until they worked and granted access.

However, once inside, WantToCry doesn’t do what encryptors usually do and lock down files locally. Instead, they first exfiltrate them, and do the encrypting part on a remote server. After that, they would redeploy the encrypted files back to the victim devices, overwriting them and rendering them useless sans the decryption key.

This process makes the defenders’ work that much harder:

“The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk,” Sophos explained.

Another aspect in which WantToCry stands out is the ransom demand. Usually, cybercriminals would demand tens of thousands of dollars for the decryption key, going into millions for enterprise victims. Here, however, they would ask between $600 and $1,800.

“These amounts are low compared to traditional ransom demands and likely reflect the limited scope of the ransomware deployment,” Sophos added. “There is no post-intrusion activity in WantToCry attacks — that is, there is no positioning of the ransomware for maximum impact across a compromised environment. Therefore, it is likely that in many cases the encryption occurs only on files stored on the host that exposed SMB services to the internet.”

Sophos also said that the WantToCry operators don’t have a website and are not currently listing their victims.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.