SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Cisco tells Webex users to patch critical security flaws immediately
April 17, 2026
Cisco has pushed a new patch to address four critical-severity vulnerabilities plaguing its cloud-based Webex Services platform – and has also warned Wi-Fi access points users of a bug in certain versions of IOS XE that could result in a device bootloop. Webex Services is a platform for communication and collaboration, letting people hold video meetings, ...
- Adapt or pay: an analysis of the AdaptixC2 framework
April 17, 2026
As highlighted in our previous post about the Mythic framework, threat actors are rapidly adopting emerging technologies and frameworks. A prime example of this trend is AdaptixC2, a relatively new open-source post-exploitation framework that has quickly captured the attention of the offensive security community. Its popularity stems from its open-source nature and high extensibility; the framework ...
- British National Pleads Guilty to Hacking into Companies and Stealing At Least $8 Million in Virtual Currency
April 17, 2026
SANTA ANA, California – A United Kingdom man pleaded guilty today to conspiring with others to hack into the computer systems of at least a dozen companies via text message phishing attacks and to steal at least $8 million in virtual currency from individual victims throughout the United States. Tyler Robert Buchanan, 24, of Dundee, Scotland, ...
- Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
April 16, 2026
Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Korean threat actor Sapphire Sleet that relies on social engineering rather than software vulnerabilities. By impersonating a legitimate software update, threat actors tricked users into manually running malicious files, allowing them to steal passwords, cryptocurrency assets, and personal data while avoiding built‑in macOS security checks. ...
- “iCloud storage is full” scam is back, and now it wants your payment details
April 16, 2026
A few months ago, we reported on a fake cloud storage alert that triggered a redirect chain to an app that has since been delisted from the Apple Store. The threat of losing your photos is a powerful lure, so scammers are now using it to steal personal and financial details. The Guardian warns about an ...
- Europol-supported global operation targets over 75 000 users engaged in DDoS attacks
April 16, 2026
On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the ...