Ransomware WantToCry ransomware evades detection through SMB abuse, remote encryption May 20, 2026 Share By Laura French Attacks using WantToCry ransomware are targeting exposed Server Message Block (SMB) ports and utilizing remote encryption to minimize that chance of detection, Sophos reported Tuesday . WantToCry ransomware, not to be confused with WannaCry , has been around since at least early 2024, as indicated by a February 2024 PCrisk guide covering the WantToCry strain. Files encrypted by WantToCry have the “.want_to_cry” extension and attackers leave behind a ransom note titled “!want_to_cry.txt”. Research by the Sophos Counter Threat Unit Research Team found that WantToCry targets victims by scanning for SMB services exposed to the internet on ports 139 and 445. A January 2026 scan using Shodan revealed more than 1.5 million exposed SMB ports, most of which were located in the United States (more than 600,000 ports), Sophos said. Attackers initiate authenticated SMB sessions via brute-forcing attempts, or using compromised credentials, and subsequently use these sessions to exfiltrate files for remote encryption. Files are encrypted on the attacker’s server, rather than on the victim’s machine, limiting the chance of detection as no malware is executed in the victim’s environment. After remote encryption, the encrypted files are written back to their original locations using the same SMB sessions, according to Sophos. WantToCry’s ransom demands are significantly lower than many major ransomware groups, ranging from $300 to $1,800 in Bitcoin. Ransom notes instruct victims to make contact via qTox or Telegram, where they are offered the decryption of three small files for free as evidence that decryption is possible. The ransom note indicates that a new Bitcoin wallet is created for each victim. Although WantToCry exfiltrates files via SMB, there is no evidence that these files are used for extortion, as seen in typical double-extortion ransomware schemes. Sophos traced WantToCry’s infrastructure to several different IP addresses: one IP address associated with a Russian hosting provider was used for reconnaissance and brute-force attempts, while six other IP addresses spread out across Russia, Germany, the United States and Singapore were observed using authenticated SMB sessions for file writes and exfiltration. Two computer names used by attackers — a Windows Server 2016 device named WIN-J9D866ESIJ2 and a Windows Server 2019 device named WIN-LIVFRVQFMKO — were also identified by Sophos. Both computer names were noted to be associated with virtual machines provided by the legitimate IT infrastructure management provider ISPsystem, which may have been repurposed by bulletproof hosting providers to facilitate malicious activity, Sophos assessed. The WIN-J9D866ESIJ2 was previously reported by Team Cyrmu to be involved in attacks deploying NetSupport RAT in 2025. WIN-LIVFRVQFMKO has also been associated with attacks linked to LockBit, Qilin and ALPHV/BlackCat ransomware, based on research by Sophos and third-party researchers. Sophos noted that while WantToCry does not deploy ransomware locally, and leaves no running processes to be detected by endpoint detection and response (EDR) and antivirus solutions, its activity can still be detected via network and authentication artifacts. The researchers said organizations should monitor for unusual SMB read and write operations from external IP addresses and block inbound SMB traffic from ports TCP/139 and TCP/445 when possible. They also recommend disabling the outdated SMBv1 protocol and any “guest” or anonymous SMB access. Further, organizations should ensure they have regular backups of important files and that backups cannot be accessed via the SMB protocol. An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More Laura French Related Malware Microsoft disrupts Fox Tempest malware-signing service SC Staff May 20, 2026 Fox Tempest operated a platform called signspace[.]cloud, which allowed threat actors to obtain short-lived Microsoft-issued certificates via Artifact Signing. Ransomware Ransomware group ‘The Gentlemen’ suffers internal breach, exposing operations SC Staff May 18, 2026 Researchers at Check Point Research (CPR) gained visibility into The Gentlemen's backend infrastructure, affiliate activities, and victim management tools after the group's own systems were compromised. Phishing Tycoon2FA phishing kit evolves with device-code attacks on Microsoft 365 SC Staff May 18, 2026 The Tycoon2FA phishing kit has adapted to leverage OAuth 2.0 device authorization grant flows, enabling it to compromise Microsoft 365 accounts. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI On-Demand Event Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds