A new ransomware variant named WantToCry has been identified, which employs a novel method of encrypting files remotely after exfiltration, making it significantly harder to detect than traditional ransomware, based on information published by Tech Radar.
The attackers behind WantToCry scan the internet for exposed Server Message Block (SMB) services, often found in Microsoft Windows environments. They exploit weak or default credentials to gain access to these services.
Once inside, instead of encrypting files locally, the ransomware first exfiltrates the data to a remote server. The encryption process then occurs on this remote server, and the encrypted files are redeployed to the victim's devices, overwriting the original data.
This remote encryption significantly reduces the detection surface for security teams, as there is minimal local malware execution or post-compromise activity beyond file exfiltration and overwriting. Unusually low ransom demands, ranging from $600 to $1,800, suggest a more limited scope of attack, likely targeting individual hosts with exposed SMB services rather than widespread network compromise. The operators are not currently listing their victims.
Kelley Damore is Chief Content Officer at CyberRisk Alliance, where she leads content strategy across the company’s digital brands, research, communities and live events serving CISOs and security practitioners. At CyberRisk Alliance, she is focused on delivering 365-day engagement, trusted journalism and actionable insights to help security leaders navigate an increasingly complex threat landscape.
Kelley Damore is Chief Content Officer at CyberRisk Alliance, where she leads content strategy across the company’s digital brands, research, communities and live events serving CISOs and security practitioners. At CyberRisk Alliance, she is focused on delivering 365-day engagement, trusted journalism and actionable insights to help security leaders navigate an increasingly complex threat landscape.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
