Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks
Jan. 31, 2025, 2:07 p.m.
Tags
External References
Description
The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024 by exploiting misconfigured Server Message Block (SMB) services. The group targets multiple network services, including SMB, SSH, FTP, RPC, and VNC, using brute-force attacks with a database of over one million passwords. Once access is gained, the ransomware encrypts publicly exposed network drives and NAS devices, appending the extension '.want_to_cry' to affected files. The attackers communicate with victims through encrypted messaging platforms and demand ransom payments. The ransomware's execution flow includes reconnaissance, exploitation via brute force, accessing shared drives, and payload execution without leaving local artifacts. To mitigate risks, organizations should implement security measures such as regular antivirus updates, disabling unnecessary SMB sharing, requiring authentication, restricting public access, and enabling advanced detection systems.
Date
Published: Jan. 31, 2025, 1:25 p.m.
Created: Jan. 31, 2025, 1:25 p.m.
Modified: Jan. 31, 2025, 2:07 p.m.
Attack Patterns
WantToCry
WantToCry
T1021.002
T1135
T1490
T1110
T1071.001
T1573
T1486
T1083
T1078