The cybersecurity landscape continues to evolve as ransomware operators adopt stealthier and more efficient attack methodologies. One of the latest examples is WantToCry, a ransomware campaign that abuses exposed Server Message Block (SMB) services to remotely encrypt victim files without deploying traditional malware on compromised systems. Unlike conventional ransomware operations that rely on malicious executables, persistence mechanisms, privilege escalation, and lateral movement, WantToCry significantly reduces its detection footprint by operating almost entirely through legitimate SMB file operations.

The campaign’s name intentionally references the infamous WannaCry ransomware outbreak of 2017, which exploited SMB vulnerabilities to spread globally. However, WantToCry differs fundamentally in its operational model. It is not self-propagating, does not rely on software exploits, and instead focuses on internet-exposed SMB services protected by weak or compromised credentials. This shift demonstrates how threat actors increasingly exploit misconfigurations and poor authentication hygiene rather than complex zero-day vulnerabilities.

How WantToCry Identifies and Targets Victims

Threat actors behind WantToCry begin their operations with large-scale internet reconnaissance. They scan for publicly accessible SMB services running on TCP ports 139 and 445 using platforms such as Shodan and Censys. These search engines continuously index exposed internet-facing services, making it easy for attackers to identify vulnerable organizations. As of January 7, 2026, over 1.5 million devices exposing SMB-related ports were reportedly visible online.

Once a potential target is identified, attackers automate brute-force authentication attempts against the SMB service. Instead of exploiting software vulnerabilities, the attackers rely on weak passwords, reused credentials, or poorly configured authentication mechanisms. This method allows them to gain direct authenticated access to remote file systems while avoiding the need to drop malware binaries or execute suspicious code locally.

This technique is particularly dangerous because many organizations still expose SMB services directly to the internet for convenience, remote administration, or legacy operational requirements. In many environments, insufficient password policies and outdated network configurations create ideal conditions for ransomware operators to succeed.

The Remote Encryption Workflow

The most technically unique aspect of WantToCry is its remote encryption methodology. After successfully authenticating through SMB, attackers exfiltrate files directly from the victim environment to attacker-controlled infrastructure. Encryption is then performed remotely on systems controlled by the threat actors rather than on the victim machine itself. Once encrypted, the files are written back to the victim system using the same authenticated SMB session.

Encrypted files receive the “.want_to_cry” extension, while ransom notes named “!Want_To_Cry.txt” are deposited across affected directories. Victims are instructed to contact the attackers through qTox or Telegram to negotiate payment and verify decryption capabilities using several test files.

The ransom demands observed in these attacks ranged from approximately $400 to $1,800 USD, with many incidents requesting around $600. These relatively low ransom amounts suggest the operators prioritize rapid monetization over prolonged negotiations or enterprise-wide disruption campaigns. Unlike sophisticated ransomware groups that conduct double extortion by leaking stolen data, WantToCry appears focused solely on file encryption and payment collection.

Infrastructure and Threat Actor Operations

SophosLabs researchers identified segmented infrastructure supporting different phases of the campaign. Reconnaissance and credential attacks originated from infrastructure associated with Russian hosting providers, while separate systems located across Germany, Russia, Singapore, and the United States handled encryption operations.

Researchers also observed virtual machine names such as WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO during multiple malicious campaigns, including LockBit, Qilin, and BlackCat ransomware operations. Although these identifiers do not definitively link the campaigns to the same threat actors, they illustrate how cybercriminals frequently reuse rented virtual infrastructure from legitimate hosting services and bulletproof hosting providers.

This infrastructure segmentation improves operational resilience and complicates attribution efforts, making investigations more difficult for defenders and law enforcement agencies.

Why Detection Is Difficult

Traditional Endpoint Detection and Response (EDR) solutions are heavily dependent on process monitoring, malware signatures, behavioral analytics, and local code execution telemetry. WantToCry bypasses many of these detection mechanisms because no malicious executable is launched on the victim machine. The ransomware activity is disguised as standard SMB file operations, which security products typically classify as legitimate network behavior.

However, network-level monitoring can still reveal suspicious activity patterns. Large-scale SMB read and write operations from unusual external IP addresses, especially outside business hours, can serve as indicators of compromise. File integrity monitoring and encryption detection technologies such as CryptoGuard remain effective because they analyze file content changes rather than relying solely on process activity.

Our Opinion on the WantToCry Campaign

The WantToCry ransomware campaign highlights a major shift in modern cybercrime tactics. Instead of investing in sophisticated malware development or exploiting advanced software vulnerabilities, attackers are increasingly relying on operational weaknesses such as exposed services and weak credentials. This approach dramatically lowers the barrier to entry for cybercriminals while simultaneously reducing visibility for defenders.

What makes WantToCry particularly concerning is its simplicity. The attackers leverage legitimate network protocols already trusted within enterprise environments, making malicious activity appear normal to many security systems. This reflects a broader trend where ransomware groups prioritize stealth, speed, and efficiency over technical complexity. Organizations that continue exposing SMB services directly to the internet are effectively creating attack opportunities that can be discovered within minutes through public reconnaissance tools.

From a defensive perspective, the campaign reinforces the importance of strong cyber hygiene. Blocking inbound SMB traffic, disabling SMBv1, enforcing multi-factor authentication, implementing strong password policies, and continuously monitoring unusual network behavior are no longer optional best practices — they are fundamental security requirements. Modern ransomware threats are increasingly exploiting configuration weaknesses rather than software flaws, and organizations must adapt their defensive strategies accordingly. Ultimately, WantToCry demonstrates that even without advanced malware, attackers can still cause severe operational disruption if organizations fail to secure critical network services properly.