Back

WantToCry Ransomware Exploits SMB for Remote Encryption Attacks

Severity: High (Score: 63.5)

Sources: Scworld, www.pcrisk.com, News.Sophos

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: wanttocry, ransomware, detection, remote, encryption, files, attacks

Severity indicators: ransomware, ot

Summary

The WantToCry ransomware has been identified as a significant threat, targeting systems with exposed Server Message Block (SMB) ports. Attackers exploit these vulnerabilities by scanning for open ports 139 and 445, with over 1.5 million such ports identified as of January 2026. The ransomware operates by exfiltrating files to attacker-controlled servers for encryption, thereby evading local detection. Ransom notes left on compromised systems demand payments ranging from $300 to $1,800 in Bitcoin. Unlike traditional ransomware, WantToCry does not engage in double-extortion tactics, focusing solely on file encryption. The infrastructure used by attackers has been traced to multiple IP addresses across various countries, including Russia and the United States. The threat actors employ brute-force attacks and compromised credentials to gain access to victims' networks. Organizations are advised to secure their SMB services to mitigate risks. Key Points: • WantToCry ransomware targets exposed SMB ports, with over 1.5 million identified. • Files are encrypted remotely, minimizing detection risks for the attackers. • Ransom demands range from $300 to $1,800, with no evidence of double-extortion tactics.

Detailed Analysis

**Impact** Over 1.5 million devices worldwide with SMB ports 139 and 445 exposed to the internet are at risk, including more than 600,000 in the United States. The ransomware targets organizations with internet-facing SMB services, primarily encrypting files on the compromised hosts without lateral movement or extensive network impact. Ransom demands range from $300 to $1,800, with no evidence of double extortion or data leak threats. Sectors affected are not specified in the reports. **Technical Details** Attackers scan for exposed SMB services and perform brute-force or credential-based authentication on ports TCP/139 and TCP/445. Files are exfiltrated over authenticated SMB sessions to attacker-controlled infrastructure where encryption occurs remotely; encrypted files are then written back to the victim’s systems. No local malware execution or persistent processes occur on victim machines. Infrastructure includes IPs linked to Russia, Germany, the US, and Singapore, with known attacker VMs WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO involved. No CVEs exploited or specific malware binaries were identified. **Recommended Response** Block inbound SMB traffic on TCP ports 139 and 445 from untrusted networks and disable SMBv1 and anonymous or guest SMB access. Monitor for unusual SMB read/write activity and authentication attempts from external IPs. Maintain offline, immutable backups inaccessible via SMB. No patches are specified; detection should focus on network and authentication anomalies related to SMB sessions.

Source articles (3)

  • WantToCry ransomware evades detection through SMB abuse, remote encryption — Scworld · 2026-05-20
    Attacks using WantToCry ransomware are targeting exposed Server Message Block (SMB) ports and utilizing remote encryption to minimize that chance of detection, Sophos reported Tuesday . WantToCry rans…
  • PCrisk guide — www.pcrisk.com · 2026-05-20
    To use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT , the parent company of PCRisk.com. WantT…
  • WantToCry ransomware remotely encrypts files — News.Sophos · 2026-05-19
    SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-…

Timeline

  • 2026-01-07 — Shodan scan reveals exposed SMB ports: Over 1.5 million devices with SMB ports exposed to the internet were identified, raising security concerns.
  • 2026-05-19 — Sophos reports on WantToCry ransomware: SophosLabs detailed the operational methods of WantToCry, including its use of SMB for remote encryption.
  • 2026-05-20 — Scworld publishes updated findings: Scworld reported on the detection evasion techniques of WantToCry and its ransom demands.

Related entities

  • Brute Force (Attack Type)
  • Ransomware (Attack Type)
  • Germany (Country)
  • Russia (Country)
  • Singapore (Country)
  • United States (Country)
  • backup.in (Domain)
  • pcrisk.com (Domain)
  • 87.225.105.217 (Ipv4)
  • NetSupport RAT (Malware)
  • Phobos (Malware)
  • WannaCry (Ransomware Group)
  • BlackCat (Ransomware Group)
  • Dxen (Ransomware Group)
  • GoodMorning (Ransomware Group)
  • Lockbit (Ransomware Group)
  • Qewe (Ransomware Group)
  • Qilin (Ransomware Group)
  • TransCrypt (Ransomware Group)
  • WantToCry (Ransomware Group)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • SMB (Platform)
  • Windows (Platform)
  • Windows Server 2016 (Platform)
  • Windows Server 2019 (Platform)
  • Censys (Tool)
  • QTox (Tool)
  • Shodan (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed