Exposed SMB: The Hidden Risk Behind ‘WantToCry’ Ransomware Attacks

Posted on

Exposed SMB: The Hidden Risk Behind ‘WantToCry’ Ransomware Attacks

Introduction

In today’s digital landscape, ransomware attacks are evolving at an alarming rate, leveraging overlooked vulnerabilities to infiltrate systems. One such weakness is misconfigured Server Message Block (SMB) services, which provide attackers with unauthorized access to sensitive data.

SMB, a protocol widely used for file and resource sharing across networks, is often left exposed due to weak credentials, outdated software, and poor security configurations. These misconfigurations create an entry point for cybercriminals to:

  • Gain unauthorized access to systems.
  • Move laterally within networks.
  • Deploy malicious payloads that encrypt critical files.

The recent activities of the WantToCry ransomware group highlight how easily attackers can exploit SMB vulnerabilities to carry out the ransomware campaigns. As cyber threats have become more sophisticated, securing SMB configurations are no longer optional but a necessity to safeguard critical data and infrastructure.

Initial Footprints of WantToCry

Emergence and Attack Vectors:

The WantToCry ransomware group, active since December 2023, has intensified its operations in 2024, targeting multiple network services, including:

  • SMB (Server Message Block)
  • SSH (Secure Shell)
  • FTP (File Transfer Protocol)
  • RPC (Remote Procedure Call)
  • VNC (Virtual Network Computing)

Using brute-force attacks, the malware leverages a database of over one million passwords to compromise systems with weak or default credentials.

Once access is gained, the ransomware remotely encrypts publicly exposed network drives and NAS (Network-Attached Storage) devices. The attacker leaves behind a ransom note containing details about payment.

Threat Actor Communication Channels

WantToCry operators use encrypted messaging platforms to communicate with victims. The ransom note typically includes the following:

  • Telegram ID: https://t.me/want_to_cry_team
  • Tox ID: 963E6F7F58A67DEACBC2845469850B9A00E20E4000CE71B35DE789ABD0BE2F70D4147D5C0C91

Characteristics of WantToCry

WantToCry follows a classic ransomware pattern, modifying file extensions and dropping ransom notes to demand payment.

  • File Encryption: The ransomware encrypts files and appends the extension “.want_to_cry” to each affected file.
WantToCry Ransomware
Fig:1 (Encrypted Files)
  • Ransom Note: A text file named “!want_to_cry.txt” is created in affected directories, providing instructions for ransom payment and contact details.
WantToCry Ransomware Attacks
Fig:2 (Ransom Note)

Flow of Execution:

WantToCry Ransomware Attacks
Fig: 3 (Execution Flow)
  • Reconnaissance:

The attacker conducts a network reconnaissance phase to identify systems with exposed SMB ports (commonly TCP port 445). This step includes scanning for accessible SMB services and analyzing system responses to determine potential targets with weak security configurations or unpatched vulnerabilities.

  • Exploitation via Brute Force:

After identifying open SMB services, the attacker initiates a brute-force attack against the SMB service, leveraging a large dictionary of commonly used passwords. This process aims to obtain valid credentials and gain unauthorized access to the victim’s system.

  • Accessing and Configuring Shared Drives:

Once authenticated, the attacker enumerates network shares to identify sensitive or critical shared drives. These drives are then mapped and configured for remote access via the internet, allowing the attacker to establish a persistent foothold and prepare for the payload execution.

  • Payload Execution (Encryption Without Local Footprint):

This ransomware shows its encryption activity entirely over the external facing share drives from external source without leaving any artifacts on the local system. The encryption process is performed directly on the files stored in the shared drives, avoiding the need to download or process data on the victim’s machine. This ensures the ransomware’s impact extends to all files and directories accessible via the shared drive while minimizing the likelihood of detection or forensic analysis on the local system.

Problem Overview

SMB is a protocol widely used for file and printer sharing on Windows networks. While it’s essential for collaboration, leaving SMB exposed without proper authentication can create a gateway for attackers.

In these cases, a public IP associated with the affected system had SMB enabled and accessible over the internet without authentication. This allowed unauthorized users to access shared drives remotely. When exploited, such vulnerabilities can bypass system defences, leading to encrypted files and potential data loss.

Detection

  • Indicators of compromise (IOC)
    • 194[.]36[.]179[.]18
    • 194[.]36[.]178[.]133
  • We already have Detection (HEUR:Trojan.Win32.EncrSD) in place for share drive encryption activity.

Consequences of Misconfiguration

Leaving SMB publicly accessible without authentication can have severe consequences, including:

  • Data Breaches: Unauthorized access to sensitive files.
  • Ransomware Attacks: Encryption of critical files, rendering them inaccessible without payment.
  • Operational Downtime: Extended recovery times leading to financial and reputational losses.
  • Increased Attack Surface: A simple misconfiguration can attract opportunistic attackers.

Best Practices to Mitigate Risks

To avoid falling victim to similar attacks, organizations should implement these security measures:

  1. Antivirus: Ensure Seqrite / Quick Heal is regularly updated with the latest definitions.
  2. Disable SMB Sharing Where Unnecessary: If SMB is not actively used, disable it to reduce potential exposure.
  3. Require Authentication for SMB Access: Never leave SMB shares publicly accessible without proper credentials.
  4. Restrict Public Access: Use firewalls to block external access to SMB ports (typically 445 and 139).
  5. Regularly Audit Configurations: Continuously monitor and review network and file-sharing configurations to ensure they align with security best practices.
  6. Enable Advanced Detection Systems: Use tools like behaviour-based monitoring to detect suspicious activities and anomalies.

Author: Umar Khan A

Co-Author: Niraj Lazarus Makasare, Dixit Ashokbhai Panchal, Sumit Patil, Matin Tadvi

The post Exposed SMB: The Hidden Risk Behind ‘WantToCry’ Ransomware Attacks appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.

Related Posts