Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks

SUMMARY :

The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024 by exploiting misconfigured Server Message Block (SMB) services. The group targets multiple network services, including SMB, SSH, FTP, RPC, and VNC, using brute-force attacks with a database of over one million passwords. Once access is gained, the ransomware encrypts publicly exposed network drives and NAS devices, appending the extension '.want_to_cry' to affected files. The attackers communicate with victims through encrypted messaging platforms and demand ransom payments. The ransomware's execution flow includes reconnaissance, exploitation via brute force, accessing shared drives, and payload execution without leaving local artifacts. To mitigate risks, organizations should implement security measures such as regular antivirus updates, disabling unnecessary SMB sharing, requiring authentication, restricting public access, and enabling advanced detection systems.

OPENCTI LABELS :

ransomware,smb,wanttocry


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Exposed SMB: The Hidden Risk Behind 'WantToCry' Ransomware Attacks