A ransomware strain called WantToCry has been targeting businesses by abusing a widely used file-sharing protocol to encrypt files without dropping any malware on the victim’s system.
The attacks mark a notable shift in how ransomware operators approach campaigns, serving as a warning to any organization that still has file-sharing services exposed to the open internet.
WantToCry takes its name from WannaCry, the devastating ransomware worm that tore through global networks in 2017 by exploiting a flaw in the Server Message Block, or SMB, protocol. While WantToCry borrows the name, it works very differently.
It does not spread on its own, and there is no evidence the two operations share any connection. What they do share is a common target: organizations that leave SMB ports open to the internet.
Analysts at SophosLabs investigated WantToCry attacks that involved threat actors abusing the SMB service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption.
Sophos said in a report shared with Cyber Security News (CSN). The detection surface is significantly reduced because WantToCry operates without local malware execution, with no post-compromise activity beyond exfiltrating files and rewriting them to disk.
The impact of the campaign is notable not because of the ransom amounts demanded, which ranged from $400 to $1,800 per victim, but because of how quietly it operates. No malware runs on the victim’s machine and no suspicious software gets installed.
The entire encryption process happens offsite on infrastructure the attackers control, making it far harder for traditional security tools to detect.
What makes this particularly concerning is the scale of potential exposure. As of January 7, 2026, over 1.5 million devices had SMB ports TCP 139 and 445 exposed to the internet, and any one could become a target if credentials are weak or already compromised.
WantToCry Ransomware Abuses SMB Services
WantToCry operators begin by scanning the internet for systems with open SMB ports. They rely on tools like Shodan and Censys to build lists of exposed targets, the same tools legitimate security teams use.
Once they identify a potential victim, they launch automated brute-force attacks against the exposed SMB service to break in using weak or already-leaked credentials.
After gaining access, the attackers do not install anything on the target machine. Instead, they pull the victim’s files through the authenticated SMB session to their own infrastructure, encrypt them there, and push the encrypted versions back to the original locations.
Figure 2: Ransom note observed in WantToCry attacks
Affected files are renamed with a .want_to_cry extension and a ransom note named !Want_To_Cry.txt is dropped into directories demanding Bitcoin payment.
Two ransom note templates were observed during the campaign. One directed victims to contact attackers via qTox, while a near-identical version listed a Telegram account. Victims were told they could test decryption on up to three files before paying, with demands in observed incidents sitting at $600 per victim.
Detection Challenges and Defensive Steps
Because no malicious code runs locally, endpoint detection tools that rely on spotting suspicious processes or known malware signatures will largely miss WantToCry activity.
Security tools typically treat SMB file operations as normal system behavior, so the attack blends into everyday network traffic. Tools that monitor file content changes and detect encryption regardless of its source offer a stronger line of defense.
Network monitoring adds another protective layer. WantToCry operations generate observable artifacts, particularly sustained SMB read and write activity from external IP addresses at unusual volumes or outside normal business hours.
Brute-force attempts against SMB services can also serve as an early warning before encryption takes place.
Organizations should disable the outdated SMBv1 protocol, block inbound SMB traffic on ports TCP 139 and TCP 445 at internet-facing firewalls, and remove guest or anonymous SMB access.
Ensuring that backups cannot be reached via SMB protocols is equally important. Extended detection and response tools capable of identifying reconnaissance and brute-force activity against SMB services provide a valuable early-warning layer.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 87.225.105.217 | Russia-based hosting provider IP used for reconnaissance and brute-force SMB authentication attempts |
| IP Address | 109.69.58.213 | Attacker-controlled encryption infrastructure, geolocated to Germany |
| IP Address | 185.189.13.56 | Attacker-controlled encryption infrastructure, geolocated to Russian Federation |
| IP Address | 185.200.191.37 | Attacker-controlled encryption infrastructure, geolocated to United States of America |
| IP Address | 194.36.179.18 | Attacker-controlled encryption infrastructure, geolocated to Singapore |
| IP Address | 194.36.179.30 | Attacker-controlled encryption infrastructure, geolocated to Singapore |
| File Name | !Want_To_Cry.txt | Ransom note dropped into affected directories on victim systems |
| File Extension | .want_to_cry | Extension appended to all files encrypted by WantToCry ransomware |
| URL | hxxps://t[.]me/want_to_cry_team | Telegram contact channel listed in one variant of the WantToCry ransom note |
| Host Name | WIN-J9D866ESJ2 | Windows Server 2016 virtual machine used in WantToCry attack infrastructure |
| Host Name | WIN-LVFRVQFMKO | Windows Server 2019 virtual machine observed in WantToCry attack infrastructure |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
