Today > 1 Critical | 4 High | 11 Medium | 6 Low vulnerabilities   -   You can now download lists of IOCs here!

Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks

Jan. 31, 2025, 2:07 p.m.

Description

The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024 by exploiting misconfigured Server Message Block (SMB) services. The group targets multiple network services, including SMB, SSH, FTP, RPC, and VNC, using brute-force attacks with a database of over one million passwords. Once access is gained, the ransomware encrypts publicly exposed network drives and NAS devices, appending the extension '.want_to_cry' to affected files. The attackers communicate with victims through encrypted messaging platforms and demand ransom payments. The ransomware's execution flow includes reconnaissance, exploitation via brute force, accessing shared drives, and payload execution without leaving local artifacts. To mitigate risks, organizations should implement security measures such as regular antivirus updates, disabling unnecessary SMB sharing, requiring authentication, restricting public access, and enabling advanced detection systems.

Date

Published: Jan. 31, 2025, 1:25 p.m.

Created: Jan. 31, 2025, 1:25 p.m.

Modified: Jan. 31, 2025, 2:07 p.m.

Indicators

194.36.179.18

194.36.178.133

Attack Patterns

WantToCry

WantToCry

T1021.002

T1135

T1490

T1110

T1071.001

T1573

T1486

T1083

T1078