Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

WantToCry NAS Ransomware (.want_to_cry; !want_to_cry.txt) Support Topic


  • Please log in to reply
19 replies to this topic

#1 Zomka

Zomka

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 16 February 2024 - 08:31 AM

Hey all.

 

My home Debian 12 server's SAMBA server got hit with a ransomware attack. The ransomware calls itself WantToCry.

Is there any way to decrypt the files? ID-Ransomware can't detect it and neither can NoMoreRansom.

 

If I need to attach a sample file or the ransom note, LMK!

 

Thanks :)

 

Edit: I misspelled hit as it in the title accidentally

 

Edit 2: The name of the ransom note is !want_to_cry.txt


Edited by quietman7, 02 March 2024 - 07:24 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 16 February 2024 - 08:36 AM

Is .WantToCry the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
What is the actual name of the ransom note? 
Can you provide (copy & paste) the ransom note contents in your next reply?
 
In addition to coping & pasting the ransom note...please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic. To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#3 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 16 February 2024 - 08:47 AM

Is .WantToCry the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
What is the actual name of the ransom note? 
Can you provide (copy & paste) the ransom note contents in your next reply?
 
In addition to coping & pasting the ransom note...please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic. To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.

Hi, thank you so much for replying to my thread.

No, .want_to_cry is the only thing that gets added to the encrypted file's name.

The name of the ransom note is !want_to_cry.txt

The note also seems to contain some invalid characters or something because I can't copy-paste it anywhere and when I uploaded it to NoMoreRansom, I saw a bunch of invalid characters. I attached the note archived in a ZIP file here.

I'll look for some encrypted and original files right now.



#4 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 16 February 2024 - 09:01 AM

Hey, here are the sample files (two JPG files and one H264 + MP4A video file in an MP4 container) and I didn't attach the ransom note in my previous reply, sorry about that.

Attached Files



#5 TimmyMC

TimmyMC

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 16 February 2024 - 11:06 AM

Hi there,

 

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).



#6 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,049 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:07 AM

Posted 16 February 2024 - 11:23 AM

It will be better for researchers if you add more encrypted files.

 

WantToCry Ransomware appeared in the first half of January.


Edited by Amigo-A, 16 February 2024 - 12:50 PM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#7 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 17 February 2024 - 10:45 AM

Apparently, some files weren't encrypted at all. No idea why, I couldn't find any correlation between them.

 

Also, I think the ransomware has an exception for .bin files since none of them got encrypted on my server.


Edited by Zomka, 17 February 2024 - 10:45 AM.


#8 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 17 February 2024 - 11:28 AM

Apparently, some files weren't encrypted at all. No idea why, I couldn't find any correlation between them.

Also, I think the ransomware has an exception for .bin files since none of them got encrypted on my server.


It is not uncommon for ransomware infections to sometimes fail to encrypt all data, fail to leave ransom notes, fail to delete all shadow copy snapshots, fail to add an extension, add an extension but fail to encrypt files, especially if the encryption process encountered encryption glitches, involved shoddy malware programming code, only partially encrypt a file (first so many KB's at the beginning and/or end if it is very large), was hindered by installed security software or was interrupted by the victim...i.e. shutting down the computer). It is also not uncommon for ransomware to include an exception not to encrypt (skip) certain file extensions.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#9 TimmyMC

TimmyMC

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 17 February 2024 - 12:01 PM

Hi there,

 

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).

 

Ransom file and 1 encrypted file. @Zomka you got away with a cheaper ransom than me. They want $1060 from me, lol.

 

Attached File  !want_to_cry.txt   1.52KB   4 downloads

 

Attached File  2012 01 21 user.conf.zip   2.32KB   0 downloads

 

For what it's worth I think the "infection" was delivered in a bogus Zoom installer. I was in the middle of a Zoom webinar using the browser when things went a bit wrong. In a hurry I tried to download the Zoom app and hit the first link that came up. It didn't sort out Zoom but delivered a whole heap of trouble.

 

The affected files appear to all be on my NAS box. Not all files have been encrypted. I'm still running scans on the PC to try and determine if it is still infected.


Edited by TimmyMC, 17 February 2024 - 12:17 PM.


#10 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,049 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:07 AM

Posted 19 February 2024 - 02:23 AM

Zoom Official

https://zoom.us/ru/download

 

For data security purposes, you must assume that ALL other sites may be fake.

Even if they look official, even if they claim to be partners of the official website. No one can give a 100% guarantee that this is true. A lie is very similar to the truth and the one who wants to hear the truth is vulnerable.
---
Everyone lies - politicians, diplomats, high-ranking officials and even heads of state. Lying is more profitable for them. It's easier to lie, but harder to tell the truth.

Edited by Amigo-A, 19 February 2024 - 02:36 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#11 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 19 February 2024 - 02:34 AM

 

Hi there,

 

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).

 

Ransom file and 1 encrypted file. @Zomka you got away with a cheaper ransom than me. They want $1060 from me, lol.

 

attachicon.gif!want_to_cry.txt

 

attachicon.gif2012 01 21 user.conf.zip

 

For what it's worth I think the "infection" was delivered in a bogus Zoom installer. I was in the middle of a Zoom webinar using the browser when things went a bit wrong. In a hurry I tried to download the Zoom app and hit the first link that came up. It didn't sort out Zoom but delivered a whole heap of trouble.

 

The affected files appear to all be on my NAS box. Not all files have been encrypted. I'm still running scans on the PC to try and determine if it is still infected.

 

That’s interesting… I am certain that wasn’t the case for me. I use Linux on all computers on my local network with up-to-date packages and I haven’t downloaded or installed any new software outside of some Steam games onto my Steam Deck…



#12 Amigo-A

Amigo-A

    Security specialist and Ransomware expert


  •  Avatar image
  • Members
  • 3,049 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Bering Strait
  • Local time:10:07 AM

Posted 19 February 2024 - 02:40 AM

 of some Steam games onto my Steam Deck…

Steam users are potential hostages of ransomware.
---
Through any games and applications of Steam and similar developments, it is quite easy to penetrate your computer. All gam-users are “in plain sight” of those who want to penetrate.
 
You can clear the desktop in your game account and still be vulnerable to attack via Steam.
The operating system used is not important here. They are all full of holes like a sieve; penetration is only a matter of time and desire.
 
What happens after penetration? This is also "as desired" of the attacker. He can have fun, see how the “test object” behaves, or erase some of the files, or encrypt or place them in a large archive with a long password, or steal data for blackmail or resale, or simply get out of your PC, or go away to "a another object", where there are more important files and a big snatch.

Edited by Amigo-A, 19 February 2024 - 02:58 AM.

My site: The Digest "Crypto-Ransomware"  + Google Translate 

 


#13 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 61,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 AM

Posted 19 February 2024 - 08:01 AM

For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.


.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#14 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 19 February 2024 - 08:25 AM

For me it was definitely something done over the internet then. I didnt have any computers with Windows online for a while and especially not during the time the files were encrypted.

I had a relatively weak password on my SMB server and never setup fail2ban, so I guess I learned my lesson.

#15 Zomka

Zomka
  • Topic Starter

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 19 February 2024 - 08:26 AM

of some Steam games onto my Steam Deck…

Steam users are potential hostages of ransomware.
---
Through any games and applications of Steam and similar developments, it is quite easy to penetrate your computer. All gam-users are “in plain sight” of those who want to penetrate.
 
You can clear the desktop in your game account and still be vulnerable to attack via Steam.
The operating system used is not important here. They are all full of holes like a sieve; penetration is only a matter of time and desire.
 
What happens after penetration? This is also "as desired" of the attacker. He can have fun, see how the “test object” behaves, or erase some of the files, or encrypt or place them in a large archive with a long password, or steal data for blackmail or resale, or simply get out of your PC, or go away to "a another object", where there are more important files and a big snatch.
I highly doubt that Valve games, VRChat and Dolphin Emulator (Flatpak version) were distributed with malicious code…

Edited by Zomka, 19 February 2024 - 08:27 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users