Services Recovery Ransomware WANT TO CRY

WHAT IS WantToCry Ransomware
“WantToCry” is a modern ransomware strain that uses a name similar to WannaCry, likely inspired by the older malware, but it is usually :
- not an official WannaCry variant
- using different infection methods
- more focused on NAS devices, SMB shares, home servers, and internet-exposed systems
Some community reports mention encrypted files receiving extensions such as :
-
.want_to_cry - ransom notes containing “I want to cry”
- or other WannaCry-like naming variations
How newer versions spread
Unlike the original WannaCry, which exploited the EternalBlue SMB vulnerability, modern “WantToCry” infections are more commonly associated with :
- exposed SMB shares
- weak passwords
- brute-force attacks
- internet-exposed RDP/SSH/VNC services
- poorly secured NAS devices
Several DFIR and cybersecurity community discussions suggest that some variants use large credential lists to attack exposed network services.
Common symptoms
Typical indicators include:
- files suddenly changing extensions
- ransom note TXT files appearing
- inaccessible or encrypted data
- encrypted network shares
- compromised NAS/Plex/media servers
Can files be decrypted ?
For modern variants :
- public decryptors are often unavailable
- recovery depends on the exact strain
- renaming files does NOT restore them
- backups remain the safest recovery method
Recommended immediate response
If a system is infected :
- Disconnect it from the network immediately
- Avoid repeated reboots
- Do not mass-rename encrypted files
- Create a forensic disk image if possible
- Close exposed SMB/RDP services
- Change all passwords
- Disable SMBv1
- Restore only from verified clean backups
Prevention tips
- Never expose SMB directly to the internet
- Use a VPN for remote access
- Enable MFA wherever possible
- Maintain offline backups
- Use least-privilege permissions on NAS/media shares
- Keep systems and firmware updated







