Back

WantToCry Ransomware Campaign Targets Exposed SMB Services for Remote Encryption

Severity: High (Score: 69.5)

Sources: Scworld, www.pcrisk.com, News.Sophos, Cybersecuritynews, Gbhackers

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: wanttocry, ransomware, detection, remote, encryption, files, attacks

Severity indicators: ransomware, ot

Summary

The WantToCry ransomware campaign exploits exposed Server Message Block (SMB) services to remotely encrypt files without deploying malware on victim systems. Attackers scan for open SMB ports and use brute-force methods to gain access, leading to file exfiltration and encryption on their own servers. Ransom notes are left on affected systems, demanding payments ranging from $300 to $1,800 in Bitcoin. The campaign has been active since at least early 2024, with over 1.5 million devices identified as vulnerable. The ransomware's name is a nod to the infamous WannaCry ransomware, but it operates differently, focusing on remote encryption. Victims are instructed to communicate via qTox or Telegram for payment and decryption instructions. Security experts warn that paying the ransom does not guarantee file recovery. Organizations are advised to secure their SMB services to mitigate risks. Key Points: • WantToCry ransomware exploits open SMB ports for remote file encryption. • Ransom demands range from $300 to $1,800, significantly lower than typical ransomware. • Over 1.5 million devices with exposed SMB services are at risk of attack.

Detailed Analysis

**Impact** Organizations with internet-exposed SMB services are targeted globally, with over 1.5 million devices identified as vulnerable, including more than 600,000 in the United States. The ransomware encrypts files remotely, appending the “.want_to_cry” extension and leaving ransom notes demanding payments between $300 and $1,800 in Bitcoin. The attack primarily affects systems with weak or compromised SMB credentials, potentially disrupting business operations by denying access to critical files. There is no evidence of data being used for double extortion, but file confidentiality and availability are at risk. **Technical Details** Attackers scan for exposed SMB ports (TCP 139 and 445) and use brute-force or compromised credentials to authenticate. Files are exfiltrated via SMB sessions to attacker-controlled infrastructure, encrypted remotely, and then written back to the victim’s system. No malware is executed locally, reducing detection by endpoint security tools. Infrastructure includes IPs linked to Russian hosting providers and virtual machines associated with bulletproof hosting. Ransom notes instruct victims to communicate via qTox or Telegram and offer decryption of three test files. No CVEs exploited were specified. **Recommended Response** Block inbound SMB traffic on TCP ports 139 and 445 from untrusted networks and disable SMBv1 and guest or anonymous SMB access. Monitor for unusual SMB read/write activity and authentication attempts from external IPs. Maintain offline or otherwise inaccessible backups to enable recovery without paying ransom. Deploy network-level detections for brute-force attempts and unauthorized SMB sessions. No specific patches were mentioned; focus on hardening SMB exposure and credential security.

Source articles (5)

  • WantToCry ransomware evades detection through SMB abuse, remote encryption — Scworld · 2026-05-20
    Attacks using WantToCry ransomware are targeting exposed Server Message Block (SMB) ports and utilizing remote encryption to minimize that chance of detection, Sophos reported Tuesday . WantToCry rans…
  • PCrisk guide — www.pcrisk.com · 2026-05-20
    To use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT , the parent company of PCRisk.com. WantT…
  • WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files — Cybersecuritynews · 2026-05-21
    A ransomware strain called WantToCry has been targeting businesses by abusing a widely used file-sharing protocol to encrypt files without dropping any malware on the victim’s system. The attacks mark…
  • WantToCry Ransomware Exploits SMB to Encrypt Remote Files — Gbhackers · 2026-05-21
    A new ransomware campaign named “WantToCry” that leverages exposed Server Message Block (SMB) services to gain access and encrypt victim data without deploying traditional malware on compromised syste…
  • WantToCry ransomware remotely encrypts files — News.Sophos · 2026-05-19
    SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-…

Timeline

  • 2024-02-01 — WantToCry ransomware first identified: Pcrisk guide indicates that WantToCry ransomware has been active since early 2024, targeting SMB services.
  • 2026-01-07 — Shodan scan reveals exposed SMB ports: Shodan identified over 1.5 million devices with SMB ports exposed to the internet, increasing vulnerability.
  • 2026-05-19 — Sophos reports on WantToCry attacks: Sophos analysts detail how WantToCry uses brute-force methods to access SMB services and encrypt files remotely.
  • 2026-05-20 — PCrisk publishes detailed guide: PCrisk releases a guide on WantToCry, outlining its operation, ransom demands, and removal strategies.
  • 2026-05-21 — Gbhackers reports on SMB exploitation: Gbhackers highlights the ongoing exploitation of SMB services by WantToCry for remote file encryption.

Related entities

  • Brute Force (Attack Type)
  • Ransomware (Attack Type)
  • Germany (Country)
  • Russia (Country)
  • Singapore (Country)
  • United States (Country)
  • backup.in (Domain)
  • pcrisk.com (Domain)
  • 87.225.105.217 (Ipv4)
  • NetSupport RAT (Malware)
  • Phobos (Malware)
  • WannaCry (Ransomware Group)
  • BlackCat (Ransomware Group)
  • Dxen (Ransomware Group)
  • GoodMorning (Ransomware Group)
  • Lockbit (Ransomware Group)
  • Qewe (Ransomware Group)
  • Qilin (Ransomware Group)
  • TransCrypt (Ransomware Group)
  • WantToCry (Ransomware Group)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • SMB (Platform)
  • Windows (Platform)
  • Windows Server 2016 (Platform)
  • Windows Server 2019 (Platform)
  • Censys (Tool)
  • QTox (Tool)
  • Shodan (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed