Cybersecurity researchers at Sophos have recently identified and issued an alert regarding a new and unusual ransomware variant named “WantToCry.” Unlike conventional ransomware attacks that simply encrypt files on a victim’s machine, this malware follows a far more dangerous and sophisticated approach. It first steals sensitive data from the infected system, encrypts the files on a remote server controlled by the attackers, and then transfers the encrypted copies back to the victim’s system. This method leaves victims with little to no chance of recovering their original data, even if a decryption key is later provided.
According to researchers, the attackers are primarily targeting devices that are exposed through SMB (Server Message Block) services and protected with weak or stolen login credentials. SMB is a widely used network file-sharing protocol that allows computers to access files and resources stored on remote systems as though they were stored locally. The protocol is commonly found across Microsoft Windows environments and is often used in enterprise networks for file and printer sharing.
The ransomware operators reportedly use internet-scanning platforms such as Shodan and Censys to identify vulnerable devices connected to the internet. These tools help attackers locate systems with open TCP ports 139 and 445, both of which are commonly associated with SMB services. Once a vulnerable system is discovered, the hackers attempt to gain unauthorized access using stolen or weak credentials.
After infiltrating the network, the attackers begin the exfiltration phase by copying valuable files from the victim’s machine to a remote server. The malware then creates duplicate copies of the stolen data and encrypts them remotely before sending the encrypted versions back to the compromised device. This unique strategy differs from traditional ransomware because the encryption process does not occur directly on the victim’s machine. As a result, recovery becomes significantly more difficult, and victims remain under constant threat since their original files have already been stolen.
Security experts have also noted that the ransom demands associated with WantToCry are relatively low, ranging from approximately $600 to $1,800. Researchers believe this could indicate that the ransomware campaign is still in its early stages and may expand into larger operations in the future.
The emergence of WantToCry highlights the growing sophistication of modern ransomware attacks. Organizations are therefore being advised to strengthen SMB security, disable unnecessary open ports, enforce strong password policies, and implement multi-factor authentication wherever possible. Regular data backups and continuous network monitoring can also help reduce the impact of such cyberattacks and improve recovery capabilities in the event of a breach.
Join our LinkedIn group Information Security Community!
