WantToCry NAS Ransomware (.want_to_cry; !want_to_cry.txt) Support Topic

Hello !

Here is my story.

I have a small NUC with Ubuntu 22.04 with a Samba shared folder with a weak password.

Today i was browsing the shared folder using my Windows 11 laptop, and i've noticed the "!want_to_cry.txt".

Of course i've laugh at first, but 10 minutes afterwards, wasn't that funny.

It seems the affected folder is only the SHARED folder and its sub-folders. Nothing outside it !

It didn't encrypted all the files, but most of them.

Also, the files are entirely encrypted, only their header is mangled.

I've opened a subtitle file ( .srt ) and after the 60'th line the translation is ok

The NUC is running 24/7. Could it have been attacked via the Internet ? Because my laptop seems OK. I've just installed BitDefender as an antivirus and the scan was ok.

The second question: How do i know my Ubuntu NUC is safe and i can continue to work on him ? Currently i'm scanning using Clamav.

Edited by amsupto, 19 February 2024 - 03:20 PM.

The NUC is running 24/7. Could it have been attacked via the Internet ? Because my laptop seems OK. I've just installed BitDefender as an antivirus and the scan was ok.

The second question: How do i know my Ubuntu NUC is safe and i can continue to work on him ? Currently i'm scanning using Clamav.

It was probably over the internet. I would never assume that device that had even some of its data encrypted by ransomware to be safe. I'd suggest recovering what you can and wiping everything. I had a tiny bit of luck with using Photorec which found some files on blocks of the drives that weren't overwritten yet. It does also look like Want_To_Cry only does partial encryption.

Edited by Zomka, 19 February 2024 - 04:28 PM.

....It does also look like Want_To_Cry only does partial encryption.

Some ransomware (STOP Djvu, LockFile, BlackCat (ALPHV), Qyick, Agenda, Black Basta, LockBit 2.0, DarkSide, BlackMatter, Ryuk, Nemty, Play) only partially encrypt a file in order to avoid detection and encrypt the data as quickly as possible (before anyone notices) so it does not actually read/write/encrypt the entirety of data.
 
Unfortunately, partial (intermittent) encryption often results in file corruption and renders the encrypted data useless since the encryption is usually irreversible for these files...the encryption code overwrites part of the file with the encrypted data of another part and there is no way to restore the overwritten data.

• Partial Encryption can corrupt large files
• Ransomware can partially encrypt files and cause corruption

It happened to me, too:

I had a hard drive attached to a GL.iNet- branded router (Beryl AX), serving as my NAS. The ransomware attack happened on Jan 5 2024 (I saw that's when all the !want_to_cry files were created.) But I didn't notice the attack until Feb 18th.

My setup was SMB, I had it accessible via LAN and WAN, using port 443, and it was password protected, but a very weak password.  To be honest I didn't realize it was WAN-accessible; I thought it was protected behind my network/router firewall and password, which is a lot more robust. My Win10 computer wasn't affected. No files were attacked/encrypted on any devices connected within my home network -- only the drive that I gave access to WAN with a weak password directly on the router. For that reason I think this was a brute force attack via remote/online attacker that did a dictionary attack and was able to get access that way.  But my IT skills are minimal and I realize there is a lot I don't know about network security. 

I had an old backup so I didn't lose a whole lot of important information, but I'm definitely embarrassed that I left myself vulnerable.

I ended up doing a *.* search on the drive and picked out the things that did not get encrypted. Zip files were renamed but not encrypted: simply remove the extension they put on and you can extract the contents. Exe files were left alone, and I think .epub files were not altered either. You can try removing the file extension they added to different file types and see what's affected or not.

After all this I still have questions. 

How did the attackers find access to my NAS? I don't even know what ip address to enter to find my NAS online! 

If I had made my network SSID hidden, would that have helped?

If I had made access to my files read-only, would that have protected me from the attack?

Is this the same type of attack as the wannacry ransomware back in 2017? 

Does anyone know if there is a decryptor available that works on this new "!want_to_cry" encryption? 

Is there a chance at recovering anything encrypted, or should I just call it a day, wipe my drive and move on? 

Hopefully my experience can help some of you out there.

There is no known method that I am aware of to decrypt files encrypted by WantToCry Ransomware without paying the ransom (not advisable) and obtaining the private encryption keys from those who created the ransomware unless they are leaked or seized & released by authorities.  The criminal's master private key is needed for decryption. Without the criminal's master private key, decryption is impossible.