CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A ransomware strain called WantToCry has been targeting businesses by abusing a widely used file-sharing protocol to encrypt files without dropping any malware on the victim’s system. The attacks mark a notable shift in how ransomware operators approach campaigns, serving as a warning to any organization that still has file-sharing services exposed to the open […] The post WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files By Tushar Subhra Dutta May 21, 2026 A ransomware strain called WantToCry has been targeting businesses by abusing a widely used file-sharing protocol to encrypt files without dropping any malware on the victim’s system. The attacks mark a notable shift in how ransomware operators approach campaigns, serving as a warning to any organization that still has file-sharing services exposed to the open internet. WantToCry takes its name from WannaCry, the devastating ransomware worm that tore through global networks in 2017 by exploiting a flaw in the Server Message Block, or SMB, protocol. While WantToCry borrows the name, it works very differently. It does not spread on its own, and there is no evidence the two operations share any connection. What they do share is a common target: organizations that leave SMB ports open to the internet. Analysts at SophosLabs investigated WantToCry attacks that involved threat actors abusing the SMB service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption.  Sophos said in a report shared with Cyber Security News (CSN). The detection surface is significantly reduced because WantToCry operates without local malware execution, with no post-compromise activity beyond exfiltrating files and rewriting them to disk. Ransom note observed in WantToCry attacks (Source – Sophos) The impact of the campaign is notable not because of the ransom amounts demanded, which ranged from $400 to $1,800 per victim, but because of how quietly it operates. No malware runs on the victim’s machine and no suspicious software gets installed. The entire encryption process happens offsite on infrastructure the attackers control, making it far harder for traditional security tools to detect. What makes this particularly concerning is the scale of potential exposure. As of January 7, 2026, over 1.5 million devices had SMB ports TCP 139 and 445 exposed to the internet, and any one could become a target if credentials are weak or already compromised. WantToCry Ransomware Abuses SMB Services WantToCry operators begin by scanning the internet for systems with open SMB ports. They rely on tools like Shodan and Censys to build lists of exposed targets, the same tools legitimate security teams use. Once they identify a potential victim, they launch automated brute-force attacks against the exposed SMB service to break in using weak or already-leaked credentials. After gaining access, the attackers do not install anything on the target machine. Instead, they pull the victim’s files through the authenticated SMB session to their own infrastructure, encrypt them there, and push the encrypted versions back to the original locations. Figure 2: Ransom note observed in WantToCry attacks Affected files are renamed with a .want_to_cry extension and a ransom note named !Want_To_Cry.txt is dropped into directories demanding Bitcoin payment. Two ransom note templates were observed during the campaign. One directed victims to contact attackers via qTox, while a near-identical version listed a Telegram account. Victims were told they could test decryption on up to three files before paying, with demands in observed incidents sitting at $600 per victim. Detection Challenges and Defensive Steps Because no malicious code runs locally, endpoint detection tools that rely on spotting suspicious processes or known malware signatures will largely miss WantToCry activity. Security tools typically treat SMB file operations as normal system behavior, so the attack blends into everyday network traffic. Tools that monitor file content changes and detect encryption regardless of its source offer a stronger line of defense. Network monitoring adds another protective layer. WantToCry operations generate observable artifacts, particularly sustained SMB read and write activity from external IP addresses at unusual volumes or outside normal business hours. Brute-force attempts against SMB services can also serve as an early warning before encryption takes place. Organizations should disable the outdated SMBv1 protocol, block inbound SMB traffic on ports TCP 139 and TCP 445 at internet-facing firewalls, and remove guest or anonymous SMB access. Ensuring that backups cannot be reached via SMB protocols is equally important. Extended detection and response tools capable of identifying reconnaissance and brute-force activity against SMB services provide a valuable early-warning layer. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 87.225.105.217 Russia-based hosting provider IP used for reconnaissance and brute-force SMB authentication attempts IP Address 109.69.58.213 Attacker-controlled encryption infrastructure, geolocated to Germany IP Address 185.189.13.56 Attacker-controlled encryption infrastructure, geolocated to Russian Federation IP Address 185.200.191.37 Attacker-controlled encryption infrastructure, geolocated to United States of America IP Address 194.36.179.18 Attacker-controlled encryption infrastructure, geolocated to Singapore IP Address 194.36.179.30 Attacker-controlled encryption infrastructure, geolocated to Singapore File Name !Want_To_Cry.txt Ransom note dropped into affected directories on victim systems File Extension .want_to_cry Extension appended to all files encrypted by WantToCry ransomware URL hxxps://t[.]me/want_to_cry_team Telegram contact channel listed in one variant of the WantToCry ransom note Host Name WIN-J9D866ESJ2 Windows Server 2016 virtual machine used in WantToCry attack infrastructure Host Name WIN-LVFRVQFMKO Windows Server 2019 virtual machine observed in WantToCry attack infrastructure Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository Multiple cPanel Vulnerabilities Allows Access to Sensitive System Resources Latest News Cyber Security Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes Cyber Security News New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned Cyber Security Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Cyber Security News Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections Cyber Security News Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗