A new ransomware variant, WantToCry, has emerged, targeting businesses by leveraging a common file-sharing protocol, SMB, to encrypt files remotely without deploying malware on victims’ systems. This tactic highlights a significant evolution in ransomware strategies, serving as a critical alert for any entity with exposed file-sharing services online.
Understanding the WantToCry Strategy
Named after the notorious WannaCry ransomware from 2017, WantToCry differentiates itself by its operational method rather than connection. Unlike WannaCry, WantToCry does not self-propagate, yet both target organizations with open SMB ports, utilizing these as points of entry.
Research from SophosLabs reveals that WantToCry attackers exploit the SMB service to gain initial access and subsequently transfer files to external servers for encryption. As a result, the attack surface is minimized since no malware is executed locally, limiting post-compromise activity to file exfiltration and encryption.
Operational Silence of WantToCry
One of the most concerning aspects of the WantToCry campaign is its stealth. The attackers’ infrastructure handles the encryption entirely offsite, circumventing traditional security detections that rely on identifying local malware operations. This quiet approach is further emphasized by the relatively low ransom demands, ranging from $400 to $1,800, which is not the primary alarming factor.
The scale of potential exposure is substantial. As of early 2026, over 1.5 million devices had vulnerable SMB ports open to the internet, each a potential target due to weak or compromised credentials. WantToCry’s method involves scanning for these vulnerable systems, employing tools similar to those used by legitimate security operations to pinpoint targets.
Defense and Detection Strategies
Detecting WantToCry is challenging due to its lack of local malicious activity. Security solutions that rely on identifying known malware signatures or suspicious processes might overlook this threat. However, tools that monitor for unusual file changes or encryption activities regardless of origin offer a stronger line of defense.
Network monitoring is crucial, as WantToCry’s operations generate noticeable patterns, such as unusual external SMB activity or brute-force login attempts. Organizations should consider disabling outdated SMBv1 protocol and blocking SMB traffic on critical internet-facing ports.
Implementing extended detection and response solutions that can identify reconnaissance and brute-force activities against SMB services can provide an effective early-warning system, offering a critical layer of defense.
Conclusion and Future Implications
The WantToCry ransomware campaign underscores the importance of robust cybersecurity practices, especially for organizations with exposed network services. As cyber threats evolve, so too must our defensive measures, ensuring that systems, protocols, and credentials are continuously audited and secured.
Staying informed and proactive is vital. Organizations are encouraged to reinforce their cybersecurity frameworks, regularly update their defenses, and remain vigilant against emerging threats like WantToCry.
.webp?ssl=1 "EvilTokens: A New Phishing Threat Targeting Microsoft Accounts")
