Analysts at SophosLabs, the threat research unit of the leading cybersecurity firm, Sophos, have investigated a series of ransomware attacks attributed to the threat group behind malware they have named WantToCry, not to be confused with the notorious and persistent Wannacry malware, which first emerged in 2017. This new operation relies on abusing the Server Message Block protocol for initial network access rather than deploying traditional malware on victim systems.
Attackers first conduct reconnaissance to identify organizations with internet-exposed SMB services that use weak authentication. Once access is gained, they exfiltrate files to infrastructure under their control. Encryption then occurs remotely before the encrypted files are rewritten back to the original hosts via SMB. This approach eliminates the need for local malware execution and limits post-compromise activity to file transfers and overwrites. A ransom note is subsequently delivered demanding payment for decryption.
The reduced detection surface makes these attacks harder to identify through conventional endpoint monitoring. Because the process avoids installing executables or performing additional system changes, many standard security tools may not trigger alerts during the early stages.
The name WantToCry appears to reference the 2017 WannaCry ransomware worm, which also leveraged an SMB vulnerability to spread rapidly. However, WantToCry shows no self-propagating capabilities and there is no evidence linking the two operations. Organizations maintaining internet-facing SMB services remain particularly vulnerable to this newer variant in the same way they were exposed during the earlier incident.
SophosLabs analysts mapped portions of the attacker infrastructure used across multiple campaigns. The findings highlight how threat actors continue to target legacy protocols that remain exposed due to misconfigurations or outdated security practices.
Security teams are advised to restrict external access to SMB services, enforce strong authentication mechanisms, and monitor unusual file transfers over the protocol. Regular audits of network exposure can help reduce the risk of similar remote encryption attempts.
The investigation demonstrates that ransomware operators are adapting their techniques to minimize footprints while still achieving data encryption and extortion objectives.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments