WantToCry Ransomware Remotely Encrypts Files Without Traditional Malware
SophosLabs has detailed a new ransomware variant called WantToCry that takes a different approach than most ransomware threats.
Instead of executing malware directly on a victim’s device, WantToCry scans the internet for open SMB ports, uses brute-force tactics to guess weak credentials, and then exfiltrates files to attacker-controlled infrastructure for encryption before overwriting the originals. Because the malware never actually runs on the victim’s machine, it bypasses a lot of traditional endpoint defenses.
The ransom demands are relatively low, around $600 USD, and there’s currently no evidence of a double-extortion or data-leak model. But the technical approach is worth paying attention to because it highlights a fundamental gap that many organizations still have: basic network hygiene.
The defense is straightforward. Close internet-facing SMB ports, remove anonymous access, and use file-content monitoring tools to block unauthorized encryption activity. These aren’t exotic controls. They’re the fundamentals that should already be in place.
https://www.sophos.com/en-us/blog/wanttocry-ransomware-remotely-encrypts-files
Federal Data Breach Traced to Contractor’s Failure to Vet Employees
A significant security failure at Opexus, a software contractor managing sensitive data for US federal agencies, resulted in a massive insider threat breach.
The company hired twin brothers as engineers despite their previous federal convictions for hacking. They failed to secure proper clearances while granting them access to critical systems used by the IRS, GSA, and other departments. When the criminal background was eventually flagged during a virtual termination meeting, the brothers retained administrative access. From there, they deleted over 30 databases and copied thousands of files.
This isn’t a sophisticated attack. It’s a catastrophic failure in basic security practices: background checks, access control, and immediate revocation procedures during offboarding. The damage was preventable at multiple points, and at each point, the organization failed to act.
The lesson for every business, regardless of size or industry, is straightforward. Background checks matter. Access revocation during offboarding needs to be immediate and comprehensive. And administrative access should never outlive an employment relationship.
https://www.insurancejournal.com/news/national/2025/05/21/824641.htm
GitHub Breach Came From Poisoned VS Code Extension in Supply-Chain Attack
GitHub has confirmed that a recent breach exposing roughly 3,800 of its internal repositories came from a supply-chain attack targeting developers where they work.
Threat actors managed to steal the credentials of a legitimate developer and uploaded a malicious version of the widely popular ‘Nx Console’ Visual Studio Code extension. The malicious version was configured to harvest authentication tokens, secrets, and private keys from developer machines. Although the compromised extension was taken down within 18 minutes, that was long enough. Users with auto-update enabled got infected, and eventually a GitHub employee’s device was compromised.
What makes this particularly concerning is how normal it looks. Developers download and update extensions constantly. Adding a layer of malicious code to a trusted tool is one of the most effective attack vectors because it bypasses a lot of the skepticism people normally apply to unknown sources.
The defense requires discipline: manual approvals for extension updates, restrictions on auto-update for critical development tools, and monitoring for unusual behavior on developer machines. InfiniTech’s Managed Detection and Response and Endpoint Protection can help catch this kind of suspicious activity before it spreads to more systems.
https://www.infosecurity-magazine.com/news/github-breach-nx-console-vs-code
CISA Flags Langflow and Trend Micro Vulnerabilities as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency has added active vulnerabilities affecting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities catalog.
This designation is a formal warning: threat actors are actively leveraging these flaws in real-world attacks right now. Organizations using Langflow, an AI development tool, and Trend Micro’s endpoint security platform need to apply vendor-supplied patches immediately.
What’s notable is how diverse the targets are. Langflow is modern AI infrastructure. Trend Micro Apex One is traditional enterprise endpoint security. Attackers aren’t being selective about what they exploit. They’re hitting everything that’s vulnerable and accessible.
The takeaway for Missouri businesses is simple. Patch management can’t be occasional or reactive. It needs to be a formal, prioritized process. If you’re running systems that are on CISA’s KEV list, patching should be treated as urgent, not as something to get to “when there’s time.”
InfiniTech’s Managed IT Services include proactive patch management and vulnerability tracking, so organizations don’t have to figure this out alone. We monitor what’s being actively exploited and help prioritize patches based on your actual environment and risk.
https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html