New "WantToCry" Ransomware Campaign Exploits Exposed SMB Services
A recently identified ransomware campaign, dubbed WantToCry, is targeting organizations by abusing exposed Server Message Block (SMB) services to encrypt victim data without deploying traditional malware. The attack method reduces detection risks, evading conventional security tools by leveraging legitimate SMB operations.
Despite its name an apparent nod to the 2017 WannaCry outbreak WantToCry is not self-propagating and shares no technical ties to its predecessor. Instead, attackers scan the internet for devices with exposed SMB ports (TCP 139 and 445), often using platforms like Shodan and Censys. As of early 2026, over 1.5 million devices were found to have SMB ports accessible online, creating a vast attack surface.
Once targets are identified, threat actors conduct brute-force attacks using weak or compromised credentials. After gaining access, they exfiltrate files over SMB to attacker-controlled infrastructure, where encryption occurs remotely. Encrypted files are then written back to the victim’s system with a .want_to_cry extension, accompanied by ransom notes (!Want_To_Cry.txt) demanding payments ranging from $400 to $1,800 in Bitcoin. Communication is offered via qTox or Telegram, though there is no evidence of double extortion or data leak threats.
The campaign’s infrastructure is segmented, with initial reconnaissance linked to a Russian hosting provider, while encryption operations span multiple countries, including Germany, the U.S., Singapore, and Russia. Researchers noted recurring virtual machine hostnames previously associated with other malware families like LockBit and BlackCat, though these are likely rented systems rather than unique identifiers of a single group.
Detection remains difficult, as WantToCry avoids executable malware, relying instead on legitimate SMB activity. However, unusual SMB traffic such as sustained file operations from external IPs or abnormal authentication attempts can serve as indicators. Organizations are advised to disable SMBv1, block inbound SMB traffic, enforce strong authentication, and monitor network activity to mitigate risks.
The campaign underscores a growing trend of attackers exploiting misconfigurations rather than software vulnerabilities, emphasizing the need for robust access controls and exposed service security.
Source: https://gbhackers.com/wanttocry-ransomware-exploits-smb/
Unknown Organizations TPRM report: https://www.rankiteo.com/company/unknowncyber
"id": "unk1779344688",
"linkid": "unknowncyber",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations'}],
'attack_vector': 'Exposed SMB services (TCP 139, 445)',
'data_breach': {'data_encryption': 'Yes (remote encryption)',
'data_exfiltration': 'Yes',
'type_of_data_compromised': 'Files (unspecified types)'},
'date_detected': '2026-01-01',
'description': 'A recently identified ransomware campaign, dubbed '
'*WantToCry*, is targeting organizations by abusing exposed '
'Server Message Block (SMB) services to encrypt victim data '
'without deploying traditional malware. The attack method '
'reduces detection risks, evading conventional security tools '
'by leveraging legitimate SMB operations.',
'impact': {'data_compromised': 'Files exfiltrated and encrypted',
'operational_impact': 'Data encryption and ransom demands',
'systems_affected': 'Systems with exposed SMB ports'},
'initial_access_broker': {'entry_point': 'Exposed SMB ports'},
'lessons_learned': 'The campaign underscores a growing trend of attackers '
'exploiting misconfigurations rather than software '
'vulnerabilities, emphasizing the need for robust access '
'controls and exposed service security.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Disable SMBv1, block '
'inbound SMB traffic, '
'enforce strong '
'authentication, monitor '
'network activity',
'root_causes': 'Exposed SMB services with weak or '
'compromised credentials'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': ['$400', '$1,800'],
'ransomware_strain': 'WantToCry'},
'recommendations': 'Disable SMBv1, block inbound SMB traffic, enforce strong '
'authentication, and monitor network activity for unusual '
'SMB traffic or abnormal authentication attempts.',
'references': [{'source': 'Shodan'}, {'source': 'Censys'}],
'response': {'containment_measures': 'Disable SMBv1, block inbound SMB '
'traffic, enforce strong authentication, '
'monitor network activity',
'enhanced_monitoring': 'Monitor unusual SMB traffic and abnormal '
'authentication attempts'},
'title': 'WantToCry Ransomware Campaign',
'type': 'Ransomware',
'vulnerability_exploited': 'Exposed SMB ports with weak or compromised '
'credentials'}