WantToCry Ransomware Campaign Targets Exposed SMB Services for Remote Encryption

WantToCry Ransomware Campaign Targets Exposed SMB Services for Remote Encryption

First seen 20 May 2026, 23:27 UTC News.SophosScworldwww.pcrisk.comGbhackersCybersecuritynews+1 87% similarity 69.5

Article Content

Browse articles
ThreatCluster

The WantToCry ransomware campaign exploits exposed Server Message Block (SMB) services to remotely encrypt files without deploying malware on victim systems. Attackers scan for open SMB ports and use brute-force methods to gain access, leading to file exfiltration and encryption on their own servers. Ransom notes are left on affected systems, demanding payments ranging from $300 to $1,800 in Bitcoin. The campaign has been active since at least early 2024, with over 1.5 million devices identified as vulnerable. The ransomware's name is a nod to the infamous WannaCry ransomware, but it operates differently, focusing on remote encryption. Victims are instructed to communicate via qTox or Telegram for payment and decryption instructions. Security experts warn that paying the ransom does not guarantee file recovery. Organizations are advised to secure their SMB services to mitigate risks.

Key Points: • WantToCry ransomware exploits open SMB ports for remote file encryption. • Ransom demands range from $300 to $1,800, significantly lower than typical ransomware. • Over 1.5 million devices with exposed SMB services are at risk of attack.

ThreatCluster AI

Timeline

2024-02-01
WantToCry ransomware first identified
Pcrisk guide indicates that WantToCry ransomware has been active since early 2024, targeting SMB services.
PCrisk
2026-01-07
Shodan scan reveals exposed SMB ports
Shodan identified over 1.5 million devices with SMB ports exposed to the internet, increasing vulnerability.
Sophos
2026-05-19
Sophos reports on WantToCry attacks
Sophos analysts detail how WantToCry uses brute-force methods to access SMB services and encrypt files remotely.
Sophos
2026-05-20
PCrisk publishes detailed guide
PCrisk releases a guide on WantToCry, outlining its operation, ransom demands, and removal strategies.
PCrisk
2026-05-21
Gbhackers reports on SMB exploitation
Gbhackers highlights the ongoing exploitation of SMB services by WantToCry for remote file encryption.
Gbhackers

Community

Browse all →