WantToCry NAS Ransomware (.want_to_cry; !want_to_cry.txt) Support Topic

Hey all.

My home Debian 12 server's SAMBA server got hit with a ransomware attack. The ransomware calls itself WantToCry.

Is there any way to decrypt the files? ID-Ransomware can't detect it and neither can NoMoreRansom.

If I need to attach a sample file or the ransom note, LMK!

Thanks

Edit: I misspelled hit as it in the title accidentally

Edit 2: The name of the ransom note is !want_to_cry.txt

Edited by quietman7, 02 March 2024 - 07:24 AM.

Is .WantToCry the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
What is the actual name of the ransom note? 
Can you provide (copy & paste) the ransom note contents in your next reply?
 
In addition to coping & pasting the ransom note...please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic. To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.

Is .WantToCry the full extension appended to the end of the encrypted data filename or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]), an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) or just a series of random characters (.8SLV8GMp-hjqo9v3s) preceding the extension?
 
What is the actual name of the ransom note? 
Can you provide (copy & paste) the ransom note contents in your next reply?
 
In addition to coping & pasting the ransom note...please attach the original (unedited) ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file in a "zip file" for comparison so our crypto malware experts can manually inspect them and possibly identify/confirm the infection if they see this topic. To attach files....Click the More Reply Options button in the bottom right corner of the Board Editor, then click the Choose File button under Attach Files.

Hi, thank you so much for replying to my thread.

No, .want_to_cry is the only thing that gets added to the encrypted file's name.

The name of the ransom note is !want_to_cry.txt

The note also seems to contain some invalid characters or something because I can't copy-paste it anywhere and when I uploaded it to NoMoreRansom, I saw a bunch of invalid characters. I attached the note archived in a ZIP file here.

I'll look for some encrypted and original files right now.

Hey, here are the sample files (two JPG files and one H264 + MP4A video file in an MP4 container) and I didn't attach the ransom note in my previous reply, sorry about that.

Hi there,

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).

It will be better for researchers if you add more encrypted files.

WantToCry Ransomware appeared in the first half of January.

Edited by Amigo-A, 16 February 2024 - 12:50 PM.

Apparently, some files weren't encrypted at all. No idea why, I couldn't find any correlation between them.

Also, I think the ransomware has an exception for .bin files since none of them got encrypted on my server.

Edited by Zomka, 17 February 2024 - 10:45 AM.

Apparently, some files weren't encrypted at all. No idea why, I couldn't find any correlation between them.

Also, I think the ransomware has an exception for .bin files since none of them got encrypted on my server.

It is not uncommon for ransomware infections to sometimes fail to encrypt all data, fail to leave ransom notes, fail to delete all shadow copy snapshots, fail to add an extension, add an extension but fail to encrypt files, especially if the encryption process encountered encryption glitches, involved shoddy malware programming code, only partially encrypt a file (first so many KB's at the beginning and/or end if it is very large), was hindered by installed security software or was interrupted by the victim...i.e. shutting down the computer). It is also not uncommon for ransomware to include an exception not to encrypt (skip) certain file extensions.

Hi there,

 

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).

Ransom file and 1 encrypted file. @Zomka you got away with a cheaper ransom than me. They want $1060 from me, lol.

 !want_to_cry.txt   1.52KB   6 downloads

 2012 01 21 user.conf.zip   2.32KB   1 downloads

For what it's worth I think the "infection" was delivered in a bogus Zoom installer. I was in the middle of a Zoom webinar using the browser when things went a bit wrong. In a hurry I tried to download the Zoom app and hit the first link that came up. It didn't sort out Zoom but delivered a whole heap of trouble.

The affected files appear to all be on my NAS box. Not all files have been encrypted. I'm still running scans on the PC to try and determine if it is still infected.

Edited by TimmyMC, 17 February 2024 - 12:17 PM.

Zoom Official

https://zoom.us/ru/download

For data security purposes, you must assume that ALL other sites may be fake.

Edited by Amigo-A, 19 February 2024 - 02:36 AM.

 

Hi there,

 

I've just found my system has got infected in the last 3 days. I'm currently trying to decide if it is the PC or my NAS box. I'm seeing most of the files on the NAS box, but not all (yet).

 

Ransom file and 1 encrypted file. @Zomka you got away with a cheaper ransom than me. They want $1060 from me, lol.

 

!want_to_cry.txt

 

2012 01 21 user.conf.zip

 

For what it's worth I think the "infection" was delivered in a bogus Zoom installer. I was in the middle of a Zoom webinar using the browser when things went a bit wrong. In a hurry I tried to download the Zoom app and hit the first link that came up. It didn't sort out Zoom but delivered a whole heap of trouble.

 

The affected files appear to all be on my NAS box. Not all files have been encrypted. I'm still running scans on the PC to try and determine if it is still infected.

 

That’s interesting… I am certain that wasn’t the case for me. I use Linux on all computers on my local network with up-to-date packages and I haven’t downloaded or installed any new software outside of some Steam games onto my Steam Deck…

 of some Steam games onto my Steam Deck…

Edited by Amigo-A, 19 February 2024 - 02:58 AM.

For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities, exploiting security vulnerabilities and software are common attack vectors.

of some Steam games onto my Steam Deck…

Steam users are potential hostages of ransomware.
---
Through any games and applications of Steam and similar developments, it is quite easy to penetrate your computer. All gam-users are “in plain sight” of those who want to penetrate.
 
You can clear the desktop in your game account and still be vulnerable to attack via Steam.
The operating system used is not important here. They are all full of holes like a sieve; penetration is only a matter of time and desire.
 
What happens after penetration? This is also "as desired" of the attacker. He can have fun, see how the “test object” behaves, or erase some of the files, or encrypt or place them in a large archive with a long password, or steal data for blackmail or resale, or simply get out of your PC, or go away to "a another object", where there are more important files and a big snatch.

Edited by Zomka, 19 February 2024 - 08:27 AM.