A ransomware strain called WantToCry has been targeting businesses by abusing the widely-used Server Message Block (SMB) file-sharing protocol to encrypt files — without ever dropping malware on the victim’s machine. Analyzed by SophosLabs, the attacks mark a notable shift in ransomware tactics and serve as an urgent warning to any organization that still has SMB services exposed to the public internet.
A New Ransomware Approach Without Local Malware
WantToCry takes its name from WannaCry, the devastating ransomware worm that swept through global networks in 2017 by exploiting a flaw in the SMB protocol. While WantToCry borrows the name, it works very differently. It does not self-propagate, and there is no evidence of any technical connection between the two operations. What they share is a common target: organizations that leave SMB ports open to the internet.
The defining feature of WantToCry is that encryption never happens on the victim’s machine. Attackers pull files from the target through an authenticated SMB session, encrypt them on attacker-controlled infrastructure, then push the encrypted versions back. No malware executable runs locally. No suspicious process appears in task manager. The attack is effectively invisible to traditional endpoint security tools.
How the Attack Unfolds
WantToCry operators begin their campaigns by scanning the internet for systems with open SMB ports, specifically TCP 139 and TCP 445. They use tools like Shodan and Censys to build target lists — the same tools legitimate security teams use for asset discovery.
Once a potential victim is identified, the attackers launch automated brute-force attacks against the exposed SMB service, attempting to authenticate with weak or previously leaked credentials. After gaining access, no malware is installed. Instead:
- Victim files are pulled to attacker infrastructure via the authenticated SMB session
- Files are encrypted remotely on attacker-controlled servers
- Encrypted files are pushed back to the victim’s original directories
- Files are renamed with a
.want_to_cryextension - A ransom note named
!Want_To_Cry.txtis dropped in affected directories
Ransom demands in observed incidents ranged from $400 to $1,800 per victim, with many incidents settling around $600. Two ransom note variants were observed — one directing victims to contact attackers via the qTox encrypted messaging app, another listing a Telegram account. Victims are told they can test decryption on up to three files before paying.
Scale of Exposure
The potential impact of this campaign is alarming. As of January 7, 2026, over 1.5 million devices worldwide had SMB ports TCP 139 and TCP 445 exposed to the internet. Any one of them could become a target if they are running with weak or compromised credentials. SMB exposure is a particularly persistent problem in small and mid-sized businesses, where network segmentation is often minimal and firewall rules may be loosely maintained.
The detection surface is significantly reduced because WantToCry operates without local malware execution. There is no post-compromise activity visible to the victim beyond exfiltrating files and rewriting them to disk, according to Sophos.
Detection Is Harder Than It Looks
Because no malicious code runs locally, endpoint detection tools that rely on spotting suspicious processes or known malware signatures will largely miss WantToCry activity entirely. Security tools typically treat SMB file operations as normal system behavior, so the attack blends seamlessly into everyday network traffic.
However, WantToCry operations do generate observable network-level artifacts that can serve as early warning signs:
- Sustained SMB read and write activity from external IP addresses at unusual volumes
- SMB traffic outside normal business hours or from unexpected geographic locations
- Automated brute-force login attempts against SMB services in authentication logs
- Rapid changes to large numbers of file extensions in monitored directories
Defensive Recommendations
Sophos and security researchers recommend the following immediate steps to protect against WantToCry and similar SMB-based ransomware campaigns:
- Block SMB at the perimeter — Block inbound SMB traffic on TCP ports 139 and 445 at all internet-facing firewalls. There is no legitimate reason for external parties to initiate SMB connections to your systems
- Disable SMBv1 — The older SMBv1 protocol is insecure and should be disabled on all systems
- Remove anonymous and guest access — Ensure SMB shares require strong authentication; disable guest accounts entirely
- Use strong, unique credentials — Rotate SMB credentials regularly and enforce password complexity; consider multi-factor authentication where supported
- Protect backups — Ensure backup systems cannot be reached via SMB protocols to prevent backup encryption
- Deploy content-aware monitoring — Use tools that detect encryption activity by monitoring file content changes, regardless of where encryption is occurring
- Enable XDR/EDR network monitoring — Extended detection and response tools capable of identifying reconnaissance and brute-force activity against SMB services provide valuable early warning
Known Attacker Infrastructure
SophosLabs identified several IP addresses associated with WantToCry attack infrastructure, including hosts geolocated in Russia, Germany, Singapore, and the United States. The attacker infrastructure included Windows Server 2016 and 2019 virtual machines used for remote encryption operations. Organizations can add these indicators to their SIEM and firewall block lists as part of an immediate defensive response.
WantToCry represents an evolution in ransomware tradecraft — moving the encryption process entirely off the victim’s network to evade detection. As more threat actors discover that SMB exposure remains widespread, this technique is likely to become more common. Closing internet-facing SMB access is the single most effective step organizations can take today.