WantToCry Ransomware Exploits SMB to Remotely Abuses Services

WantToCry, a potent ransomware strain, is actively compromising businesses. This threat exploits the Server Message Block (SMB) protocol—a widely used file-sharing service—to remotely encrypt files, as detailed in a recent analysis.

WantToCry takes its name from WannaCry, the devastating ransomware worm that tore through global networks in 2017 by exploiting a flaw in the Server Message Block, or SMB, protocol. While WantToCry borrows the name, it works very differently.

It does not spread on its own, and there is no evidence the two operations share any connection. What they do share is a common target: organizations that leave SMB ports open to the internet.

Analysts at SophosLabs investigated WantToCry attacks that involved threat actors abusing the SMB service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. 

Sophos said in a report shared with Cyber Security News (CSN). The detection surface is significantly reduced because WantToCry operates without local malware execution, with no post-compromise activity beyond exfiltrating files and rewriting them to disk.

The impact of the campaign is notable not because of the ransom amounts demanded, which ranged from $400 to $1,800 per victim, but because of how quietly it operates. No malware runs on the victim’s machine and no suspicious software gets installed.

The entire encryption process happens offsite on infrastructure the attackers control, making it far harder for traditional security tools to detect.

What makes this particularly concerning is the scale of potential exposure. As of January 7, 2026, over 1.5 million devices had SMB ports TCP 139 and 445 exposed to the internet, and any one could become a target if credentials are weak or already compromised.

WantToCry Ransomware Abuses SMB Services

WantToCry operators begin by scanning the internet for systems with open SMB ports. They rely on tools like Shodan and Censys to build lists of exposed targets, the same tools legitimate security teams use.

Once they identify a potential victim, they launch automated brute-force attacks against the exposed SMB service to break in using weak or already-leaked credentials.

After gaining access, the attackers do not install anything on the target machine. Instead, they pull the victim’s files through the authenticated SMB session to their own infrastructure, encrypt them there, and push the encrypted versions back to the original locations.

Figure 2: Ransom note observed in WantToCry attacks

Affected files are renamed with a .want_to_cry extension and a ransom note named !Want_To_Cry.txt is dropped into directories demanding Bitcoin payment.

Two ransom note templates were observed during the campaign. One directed victims to contact attackers via qTox, while a near-identical version listed a Telegram account. Victims were told they could test decryption on up to three files before paying, with demands in observed incidents sitting at $600 per victim.

Detection Challenges and Defensive Steps

Because no malicious code runs locally, endpoint detection tools that rely on spotting suspicious processes or known malware signatures will largely miss WantToCry activity.

Security tools typically treat SMB file operations as normal system behavior, so the attack blends into everyday network traffic. Tools that monitor file content changes and detect encryption regardless of its source offer a stronger line of defense.

Network monitoring adds another protective layer. WantToCry operations generate observable artifacts, particularly sustained SMB read and write activity from external IP addresses at unusual volumes or outside normal business hours.

Brute-force attempts against SMB services can also serve as an early warning before encryption takes place.

Organizations should disable the outdated SMBv1 protocol, block inbound SMB traffic on ports TCP 139 and TCP 445 at internet-facing firewalls, and remove guest or anonymous SMB access.

Ensuring that backups cannot be reached via SMB protocols is equally important. Extended detection and response tools capable of identifying reconnaissance and brute-force activity against SMB services provide a valuable early-warning layer.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.