A newly identified ransomware strain known as WantToCry is targeting organisations by abusing exposed Server Message Block (SMB) services to remotely encrypt victim files without deploying malware locally on compromised systems.
The campaign represents a significant evolution in ransomware tradecraft because the encryption process takes place entirely on attacker-controlled infrastructure rather than on the victim endpoint itself. Instead of deploying ransomware binaries onto compromised devices, attackers use legitimate SMB authentication and file-sharing functionality to remotely access files, encrypt them externally, and overwrite the originals through authenticated SMB sessions.
Researchers at SophosLabs observed the activity blending into normal SMB traffic patterns, making detection significantly more difficult for traditional antivirus (AV) and Endpoint Detection and Response (EDR) platforms. The campaign is particularly concerning given the number of internet-exposed SMB services globally, with researchers estimating that more than 1.5 million devices exposed SMB ports to the public internet as of January 2026.
What is WantToCry?
Despite the similar name, WantToCry is not related to the original 2017 WannaCry worm. Unlike WannaCry, it does not self-propagate or exploit SMB vulnerabilities directly. Instead, attackers rely on exposed SMB services, weak passwords, reused credentials, and brute-force authentication attempts to gain access to enterprise file shares.
Once authenticated access is obtained, the attackers exfiltrate files via SMB, encrypt them remotely on attacker-controlled infrastructure, and then upload the encrypted versions back into the victim environment. Because the encryption takes place off-host, many traditional ransomware detections never trigger.
Affected files are renamed with the extension:
.want_to_cry
Researchers also observed ransom notes named:
!Want_To_Cry.txt
Communication channels used by the attackers reportedly include Telegram and qTox.
How the Attack Works
The attack begins with internet-wide scanning for exposed SMB services over TCP ports 139 and 445. Attackers then perform automated SMB brute-force authentication attacks using weak, reused, or previously compromised credentials.
Once access is achieved, files are copied out of the environment through legitimate SMB sessions. The attackers then encrypt the data remotely before writing the encrypted files back to the original file shares. Finally, ransom notes are dropped into affected directories and file extensions are modified.
Importantly, researchers observed no malicious binaries or ransomware executables being deployed locally during the attack. This “malware-less ransomware” approach significantly reduces endpoint telemetry and forensic artefacts.
Why This Matters
This campaign demonstrates how ransomware operators are increasingly moving away from traditional malware deployment and instead abusing legitimate protocols and authenticated access to achieve operational impact.
Most ransomware detection technologies are designed to identify suspicious local encryption behaviour, malicious binaries, PowerShell abuse, or abnormal process activity on endpoints. WantToCry bypasses many of these controls because the encryption occurs externally while the SMB activity itself appears legitimate.
To many security tools, the activity may resemble normal file transfers, backup operations, or routine SMB usage. This substantially reduces visibility for AV platforms, EDR tooling, behavioural ransomware detections, and malware signature-based controls.
The campaign also reinforces the importance of credential security and exposure management. Because the attacks rely on authenticated SMB access rather than software exploitation, organisations with weak password policies, poor account lockout controls, or internet-exposed SMB services remain highly susceptible to compromise.
Detection & Monitoring Recommendations
Security teams should prioritise visibility into SMB authentication activity, network telemetry, and file-access behaviour rather than relying solely on malware detections.
SOC teams should monitor for repeated failed SMB logins followed by successful authentication, particularly from unusual geolocations or hosting-provider IP ranges. Sustained SMB sessions from external IP addresses, spikes in out-of-hours file access, and unusually high volumes of SMB read/write activity may also indicate malicious activity.
From a file-monitoring perspective, organisations should alert on the appearance of:
!Want_To_Cry.txt
.want_to_cry file extensions
rapid file rewrite or rename activity across SMB shares
Threat hunting should also include reviewing NetFlow or Zeek telemetry for anomalous SMB transfer volumes and correlating authentication activity with large-scale file modification events.
Recommended Actions
Organisations should immediately review whether SMB services are exposed to the public internet and block inbound SMB traffic over TCP ports 139 and 445 wherever operationally possible.
SMB services should be hardened by disabling SMBv1, removing guest and anonymous access, and enforcing SMB signing where feasible. Credential security should also be strengthened through strong password policies, account lockout protections, and MFA for administrative access paths.
Backups should be reviewed to ensure they are offline or immutable and cannot be accessed directly over SMB.
Longer term, organisations should segment file-sharing infrastructure from internet-accessible services, continuously audit external exposure, and improve behavioural monitoring focused on SMB usage patterns and anomalous file operations rather than traditional malware indicators alone..
Analyst Assessment
WantToCry represents a notable evolution in ransomware operations by demonstrating how attackers can conduct encryption activity remotely using legitimate SMB functionality rather than deploying malware locally.
The campaign’s low-noise approach significantly complicates detection for organisations relying primarily on endpoint-focused security tooling. Although the ransom demands observed are relatively modest, the operational methodology is strategically important because it reflects the growing adoption of malware-less attacks, authenticated intrusion methods, and low-visibility ransomware operations.
For UK organisations, particularly those operating internet-accessible SMB infrastructure, the campaign reinforces the urgent need to eliminate external SMB exposure, strengthen credential controls, improve SMB behavioural monitoring, and modernise ransomware detection strategies beyond traditional malware-centric approaches.
How NormCyber MDR Helps Detect Low-Visibility Attacks
Attacks like WantToCry show why modern ransomware defence requires more than traditional antivirus and malware signatures. NormCyber’s Managed Detection and Response (MDR) service provides continuous monitoring across endpoints, identities, network traffic, and authentication telemetry to help identify low-noise attacks that abuse legitimate protocols such as SMB.
By correlating suspicious authentication activity, anomalous SMB behaviour, unusual file-access patterns, and external access attempts, our SOC analysts can detect early indicators of ransomware operations even when no malware is deployed locally. As attackers increasingly adopt malware-less techniques designed to evade conventional EDR visibility, NormCyber MDR helps organisations improve threat detection, accelerate containment, and strengthen resilience against modern ransomware campaigns targeting critical business infrastructure.
