WantToCry ransomware abuses exposed SMB services to encrypt files remotely
7 min. read 
Published on
WantToCry ransomware is targeting organizations that expose SMB file-sharing services to the internet, then using those connections to steal files, encrypt them remotely, and write the encrypted versions back to the victim system. The attack stands out because it does not need to run malware on the affected machine.
SophosLabs investigated attacks where threat actors abused Server Message Block access for initial entry and file encryption. Once attackers found weak or compromised SMB credentials, they used normal file-sharing behavior to move data out and replace files with encrypted copies.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The approach reduces the detection surface for endpoint tools. Traditional ransomware often runs a local encryptor, creates suspicious processes, or drops payloads on disk. WantToCry can avoid much of that by keeping the encryption process on attacker-controlled infrastructure.
How WantToCry attacks work
The attack begins with exposed SMB services, usually on TCP ports 139 and 445. Attackers scan for reachable systems, then attempt automated brute-force logins using weak, reused, or already-compromised credentials.
After authentication succeeds, the attackers pull victim files over the SMB session. They encrypt the files on their own systems and then push the encrypted versions back to the original directories. The affected files receive the .want_to_cry extension, and a ransom note named !Want_To_Cry.txt appears in affected folders.
This creates a serious monitoring problem. From the victim system’s point of view, the file activity may look like remote SMB reads and writes rather than a local ransomware process.
| Attack stage | What happens |
|---|---|
| Reconnaissance | Attackers search for systems exposing SMB ports 139 and 445 to the internet. |
| Authentication attempts | Automated brute-force attacks test weak or reused credentials. |
| File exfiltration | Files are copied from the victim over an authenticated SMB session. |
| Remote encryption | Attackers encrypt the copied files on infrastructure they control. |
| Overwrite phase | Encrypted files are written back to the original locations over SMB. |
| Ransom note | Victims see !Want_To_Cry.txt and files with the .want_to_cry extension. |
Why this is different from WannaCry
WantToCry’s name appears to reference WannaCry, the 2017 ransomware worm that spread through an SMB vulnerability. The similarity can cause confusion, but the two operations work differently.
WannaCry spread automatically by exploiting vulnerable systems. WantToCry does not appear to be self-propagating. It relies on exposed SMB services and weak authentication rather than worm-like spreading or a confirmed software exploit.
The shared lesson is still important. SMB should not sit open to the public internet. File-sharing services often belong inside trusted networks or behind controlled remote-access systems, not directly exposed to every scanner online.
Ransom demands are lower, but the risk remains serious
Sophos observed ransom demands of $600 in the incidents it reviewed, while other publicly disclosed WantToCry notes have ranged from $400 to $1,800. Those amounts are lower than typical enterprise ransomware demands, which often reach much larger figures.
The Sophos report says the lower demands likely reflect the limited scope of many attacks. WantToCry does not appear to spend time positioning ransomware across a full compromised environment before encryption.
That does not make the threat minor. If the exposed SMB host contains business documents, customer files, backups, shared drives, or operational data, remote encryption can still cause real disruption.
Why exposed SMB is the main weakness
SMB is a normal Windows file-sharing protocol. It supports shared folders, network storage, authentication, and access to files across systems. In trusted environments, it remains widely used. On the public internet, it creates a large attack surface.
Microsoft SMB security guidance recommends blocking outbound SMB traffic to the internet at the corporate firewall in most environments. The same logic applies to inbound SMB exposure, which should only exist in controlled and justified cases.
Sophos said Shodan identified more than 1.5 million devices with SMB ports exposed to the internet as of January 7, 2026. That gives attackers a large pool of systems to scan before they even start password attacks.
Why endpoint tools may miss the attack
WantToCry creates fewer local indicators than traditional ransomware because the encryption does not happen through a local malicious executable. No obvious ransomware binary needs to launch on the victim machine.
Many security tools treat SMB file operations as normal system behavior. That makes detection harder when the attacker uses valid credentials and performs reads and writes through a protocol the organization already allows.
Better detection comes from watching file content changes, unusual SMB traffic volume, external SMB sessions, abnormal write patterns, and brute-force authentication attempts. These signals can reveal the attack even when no malware process runs locally.
What defenders should monitor
Network monitoring can catch early warning signs before encryption finishes. Brute-force attempts against SMB should trigger investigation, especially when they come from internet-facing IP addresses or occur outside normal access patterns.
- Repeated failed SMB login attempts from external IP addresses.
- Successful SMB authentication after a long series of failed attempts.
- Sustained file reads from an unknown external host.
- Large file write bursts over SMB from the same external connection.
- Files suddenly renamed with the .want_to_cry extension.
- Unexpected ransom notes named !Want_To_Cry.txt.
- SMB access to backup locations from untrusted systems.
The CISA ransomware guide recommends blocking unnecessary SMB communications and restricting external access to SMB services. That advice directly matches the weakness WantToCry depends on.
How to reduce exposure
The strongest defense is to remove public SMB exposure. Organizations should block inbound SMB on TCP 139 and TCP 445 at internet-facing firewalls unless there is a documented and protected business requirement.
Microsoft’s SMB hardening guidance also recommends limiting SMB traffic that leaves the network, since outbound SMB can support data movement to attacker-controlled systems. Firewall rules, network segmentation, and allowlists can reduce that risk.
- Block inbound SMB traffic from the internet on ports 139 and 445.
- Disable SMBv1 across the organization.
- Remove guest and anonymous SMB access.
- Require strong, unique passwords and multifactor authentication where possible.
- Limit SMB access to trusted VPNs, jump hosts, or internal networks.
- Keep backups offline, immutable, or unreachable through SMB.
- Monitor file shares for encryption-like content changes.
Backups need special protection
WantToCry shows why backups should not be reachable through the same file-sharing path as production files. If attackers authenticate to an exposed SMB service and can reach backup folders, they may encrypt recovery data as well.
The CISA StopRansomware guidance recommends maintaining offline, encrypted, and immutable backups. Organizations should also test restoration, because an untested backup may fail when it matters most.
For shared drives and small business file servers, this is especially important. A single exposed host can hold documents, accounting files, customer records, and backup copies in one place.
Why WantToCry matters now
WantToCry is a reminder that ransomware does not always need a flashy exploit or custom payload. Weak credentials and exposed services can give attackers enough access to damage files remotely.
The campaign also shows why security teams need visibility beyond endpoints. Network logs, authentication telemetry, SMB access patterns, file-integrity monitoring, and backup isolation all help close the gap left by attacks that avoid local malware execution.
Organizations should treat internet-facing SMB as a high-risk condition. If SMB must remain reachable, access should be tightly restricted, logged, and protected with strong authentication and continuous monitoring.
The fastest way to reduce WantToCry risk is clear: close public SMB exposure, disable outdated SMB versions, harden credentials, isolate backups, and investigate any unusual SMB read or write activity from external systems.
FAQ
WantToCry is a ransomware strain that abuses exposed SMB file-sharing services to copy files to attacker infrastructure, encrypt them remotely, and write encrypted versions back to the victim system.
Sophos says the observed WantToCry attacks operated without local malware execution. The encryption happened on attacker-controlled infrastructure, while files were read and rewritten through SMB.
There is no evidence that WantToCry and WannaCry are connected. WantToCry appears to borrow the name, but it does not self-propagate like the 2017 WannaCry worm.
Organizations should protect TCP ports 139 and 445. In most environments, SMB should not be directly exposed to the public internet.
Teams should block internet-facing SMB, disable SMBv1, remove guest or anonymous SMB access, enforce strong credentials, monitor SMB traffic, and keep backups offline, immutable, or unreachable through SMB.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages