The attacks of the robber programs continue to evolve, exploiting vulnerabilities, which are often forgotten. One of these weaknesses was the incorrectly configured protocol of Server Message Block (SMB), which is used to exchange files and resources on the network. SMB services left without protection become easy prey for cybercriminals.
According to the data of the Seqrite Labs, cybercriminals target SMB, FTP, and other network services. The main method of compromise is selecting passwords based on extensive databases of account data. After gaining access, attackers encrypt files on disks and data storage devices, leaving victims with a ransom note.
Although security software and threat detection methods are becoming more advanced, criminals are continuously evolving. Wanttocry ransomware not only uses buffer overflows but also encrypts files remotely without loading malicious software onto local machines. This tactic helps evade detection by antiviruses and makes incident analysis more challenging.
Detected indicators of compromise reveal active IP addresses used in these attacks. Attackers usually instruct victims to contact them through encrypted communication channels such as Telegram and TOX. After successful encryption, files are marked with the “.want_to_cry” extension, and text files with ransom instructions are created in directories.
The main issue is that SMB is often left open for access without a password or with outdated account data. This enables hackers not only to encrypt files but also to move laterally across the network, targeting other devices. Publicly accessible SMB services are usually poorly protected and often fall victim to automated attacks.
To prevent such incidents, experts suggest disabling SMB when not in use and closing access to ports 445 and 139 from the Internet. It is also crucial to use strong passwords, regularly update software, and implement multifactor authentication.
Utilizing modern antivirus solutions and network monitoring tools can help detect suspicious activity early on. However, even the most robust tools cannot eliminate the human factor. Properly configuring network security remains a critical aspect in combating cyber