The Download
The "WantToCry" ransomware group has been actively exploiting misconfigured Server Message Block (SMB) services to infiltrate networks and encrypt Network-Attached Storage (NAS) devices. By leveraging weak credentials, outdated software, and poor security configurations, attackers gain unauthorized access to exposed SMB services. Once inside, they move laterally across networks, escalate privileges, and deploy ransomware payloads that encrypt critical files, leaving victims with files appended with the ".want_to_cry" extension and ransom notes titled "!want_to_cry.txt." This method allows attackers to encrypt files directly over the network without leaving traces on local systems, complicating detection and forensic analysis. Many SMBs leave default credentials or anonymous login enabled on NAS devices behind the firewall, which ransomware attackers exploit.
What You Can Do
To protect against such attacks, IT administrators should disable unnecessary SMB services and ensure that any required SMB services are properly configured and secured. Implementing strong, unique passwords and regularly updating them can prevent unauthorized access through brute-force attacks. Keeping software and firmware up-to-date is crucial to patch known vulnerabilities that attackers might exploit. Additionally, monitoring network traffic for unusual activities and restricting access to SMB services to trusted IP addresses can further enhance security. Regular backups of critical data, stored offline or in secure, isolated environments, can aid in recovery without yielding to ransom demands.
ThreatMate automated pentesting will identify NAS devices that have poor authentication practices. Sign up for a demo today.
To Learn More: