Overview A new ransomware strain dubbed WantToCry is targeting businesses by exploiting the Server Message Block (SMB) protocol — a core Windows file‑sharing service — to encrypt files remotely, without ever dropping malware on the victim’s system.
This campaign represents a major evolution in ransomware tactics. Instead of executing malicious code locally, attackers use legitimate SMB sessions to pull files off the victim’s network, encrypt them on their own infrastructure, and then push the encrypted versions back.
How WantToCry Works
While its name echoes the infamous WannaCry worm of 2017, WantToCry operates very differently. It does not self‑propagate, and there’s no evidence linking the two operations. What they share is a common weakness: open SMB ports exposed to the internet.
Researchers at SophosLabs found that WantToCry attackers:
- Scan the internet for systems with TCP 139 and TCP 445 ports open.
- Use tools like Shodan and Censys to identify vulnerable hosts.
- Launch automated brute‑force attacks against SMB services using weak or leaked credentials.
- Once authenticated, exfiltrate files via SMB, encrypt them remotely, and rewrite them to disk with the
.want_to_cryextension.
No malware is installed locally — the encryption happens entirely offsite, making detection by endpoint tools extremely difficult.
Ransom Demands and Behavior
Victims receive a ransom note named !Want_To_Cry.txt, demanding payment in Bitcoin.
- Ransom amounts range from $400 – $1,800 per victim.
- Attackers offer to decrypt up to three files for free as proof of capability.
- Contact channels include qTox and Telegram (
hxxps://t[.]me/want_to_cry_team).
The stealth of this campaign — operating without local malware — makes it particularly dangerous. Traditional antivirus and EDR solutions often fail to detect it because SMB file operations appear as normal system activity.
Detection Challenges
Since no malicious process runs locally, signature‑based detection is ineffective.
- SMB traffic looks legitimate, blending into routine network activity.
- Encryption occurs remotely, leaving few forensic artifacts.
- The only observable indicators are sustained SMB read/write operations from external IPs, often outside business hours.
Defensive Recommendations
Organizations can reduce exposure by hardening SMB configurations and monitoring network behavior:
- Disable SMBv1 — it’s outdated and vulnerable.
- Block inbound SMB traffic at firewalls.
- Remove guest or anonymous SMB access to prevent unauthorized connections.
- Ensure backups are isolated and not reachable via SMB protocols.
- Deploy extended detection and response (XDR) tools capable of spotting brute‑force and reconnaissance activity.
- Monitor SMB traffic patterns for unusual external read/write volumes.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| IP Address | 87.225.105.217 | Russia‑based host used for SMB brute‑force attempts |
| IP Address | 109.69.58.213 | Attacker‑controlled encryption infrastructure (Germany) |
| IP Address | 185.189.13.56 | Attacker‑controlled infrastructure (Russia) |
| IP Address | 185.200.191.37 | Attacker‑controlled infrastructure (United States) |
| IP Address | 194.36.179.18 | Attacker‑controlled infrastructure (Singapore) |
| IP Address | 194.36.179.30 | Attacker‑controlled infrastructure (Singapore) |
| File Name | !Want_To_Cry.txt | Ransom note dropped in affected directories |
| File Extension | .want_to_cry | Appended to encrypted files |
| URL | hxxps://t[.]me/want_to_cry_team | Telegram contact channel |
| Host Name | WIN‑J9D866ESJ2 | Windows Server 2016 VM used in attack infrastructure |
| Host Name | WIN‑LVFRVQFMKO | Windows Server 2019 VM observed in campaign |
(Indicators are defanged to prevent accidental resolution. Re‑fang only in controlled threat‑intelligence environments.)
Final Thoughts
WantToCry demonstrates how ransomware operators are evolving beyond traditional malware delivery. By abusing legitimate network protocols, they bypass endpoint defenses and exploit weak authentication to achieve remote encryption.
For defenders, this campaign is a wake‑up call: visibility into SMB traffic and credential hygiene are now as critical as patching vulnerabilities.
Leave a Reply