.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
The WantToCry name appears to be a reference to the notorious WannaCry (also known as WCry) ransomware worm, which propagated via a vulnerability in SMB at the start of 2017. While WantToCry is not self-propagating and there is no evidence to suggest that the two operations are connected, organizations with internet-exposed SMB services are similarly at risk.
By analyzing the WantToCry attacks, SophosLabs analysts determined how the attackers identified potential victims through reconnaissance, gained access to networks by abusing exposed SMB services that relied on weak authentication, used the same protocol to exfiltrate files to attacker-controlled infrastructure, deployed remote encryption, used SMB again to rewrite the encrypted files to the local host, and delivered a ransom note demanding payment. The analysts also mapped some of the infrastructure used in the campaigns.
Identification of potential victims
WantToCry operators identify potential victims by scanning the internet for open SMB ports. The threat actors likely use the same reconnaissance services as legitimate security teams. Services such as Shodan and Censys continuously scan internet-facing systems, creating readily available databases of exposed services that attackers can leverage for target selection. As of January 7, 2026, Shodan identified over 1.5 million devices that had ports used by SMB (TCP ports 139 and 445) exposed to the internet (see Figure 1).
Figure 1: Top ten locations for devices exposing SMB ports (Source: shodan.io)
Access and encryption
WantToCry operators then attempt to gain access to the targets’ networks. In the attacks SophosLabs analysts observed, the threat actors automated brute-force attempts targeting SMB services exposed to the internet on ports 139 and 445. After successfully authenticating using compromised or weak credentials, the attackers initiated file exfiltration via authenticated SMB sessions.
The subsequent encryption process was initiated on the exfiltrated files stored on attacker-controlled infrastructure. The encrypted files were then written to the original locations on the victims’ systems via the same authenticated SMB sessions. WantToCry leaves ransom notes named !Want_To_Cry.txt on affected systems and appends the .want_to_cry suffix to encrypted files.
Two different ransom note templates were observed. One invites the victim to communicate with the threat actors over qTox (see Figure 2); the other is almost identical but lists a Telegram account (hxxps://t[.]me/want_to_cry_team) for communication. Victims can allegedly use these channels to prove the efficacy of decryption on up to three test files and to obtain the details of the unique Bitcoin wallet to which the ransom payment should be made.
Figure 2: Ransom note observed in WantToCry attacks
In each incident, the attacker demanded a $600 USD ransom for the keys necessary to decrypt files. In other publicly disclosed ransom notes, demands ranged from $400 to $1,800. These amounts are low compared to traditional ransom demands and likely reflect the limited scope of the ransomware deployment. There is no post-intrusion activity in WantToCry attacks — that is, there is no positioning of the ransomware for maximum impact across a compromised environment. Therefore, it is likely that in many cases the encryption occurs only on files stored on the host that exposed SMB services to the internet. Although data exfiltration is a crucial part of the encryption process, there is no evidence of stolen data being used to extort victims in a name-and-shame or double extortion model.
Infrastructure
SophosLabs analysts observed threat actors using segmented infrastructure for the different attack phases. Reconnaissance activities identifying exposed SMB services and conducting systematic authentication attempts against discovered targets originated from an IP address associated with a Russia-based hosting provider (87[.]225[.]105[.]217).
Once valid credentials were obtained, a separate set of attacker-controlled systems initiated the encryption phase. These systems established authenticated SMB sessions and performed sustained file read and write operations. Analysis of observed attacks revealed five IP addresses geolocating to different countries:
- 109[.]69[.]58[.]213 - Germany
- 185[.]189[.]13[.]56 - Russian Federation
- 185[.]200[.]191[.]37 - United States of America
- 194[.]36[.]179[.]18 - Singapore
- 194[.]36[.]179[.]30 - Singapore
Two different computer names were used in the attacks: WIN-J9D866ESIJ2 (a Windows Server 2016 device) and WIN-LIVFRVQFMKO (a Windows Server 2019 device). A Sophos CryptoGuard detection from January 6, 2026 showed that an IP address associated with the WIN-J9D866ESIJ2 host wrote a WantToCry ransom note to multiple directories (see Figure 3).
Figure 3: CryptoGuard detection for a WantToCry incident that involved a threat actor device named WIN-J9D866ESIJ2
Third-party researchers observed the WIN-J9D866ESIJ2 computer name in attacks involving the deployment of NetSupport RAT. WIN-LIVFRVQFMKO was previously observed by both Sophos and third-party researchers in a range of malicious activity, including attacks involving LockBit, Qilin, and BlackCat (also known as ALPHV) ransomware. However, the same computer name does not mean the same device was used or the same threat actor was responsible. Both of these computer names are issued as virtual machines by ISPsystem, which is a legitimate provider of IT infrastructure management platforms, so they will also appear in non-malicious activity. However, virtual machines generated by legitimate vendors can be repurposed by bulletproof hosting providers and leased to a variety of threat actors. Counter Threat Unit™ (CTU) researchers have detailed the abuse of virtual machines.
Detection challenges
Endpoint detection and response (EDR) protections and antivirus solutions face challenges when confronting the methodology used in WantToCry attacks. These systems typically rely on process-based indicators, behavioral analysis of running applications, and identification of known malware signatures. Since WantToCry operates without local code execution, there are no associated suspicious processes to analyze or malicious files to identify. Furthermore, security tools typically classify file operations conducted via the SMB protocol as normal system behavior rather than potential threat activity. However, tools that monitor file content changes, like Sophos CryptoGuard, detect encryption activity regardless of its source rather than attempt to identify malicious processes or behavioral patterns.
Despite the reduced detection surface, WantToCry operations do generate observable network and authentication artifacts. Network monitoring can identify sustained SMB read and write operations originating from external IP addresses, particularly when these operations involve unusual volumes of file access or occur outside normal business patterns.
Conclusion
As with all ransomware activity, prevention remains key to mitigating the threat of remote ransomware operations like WantToCry. Preventive measures include disabling the SMBv1 protocol across the organization, removing “guest” or anonymous SMB access, and blocking inbound SMB traffic (ports TCP/139 and TCP/445) at all internet-facing firewalls. Additionally, it is important to ensure that backups cannot be accessed via SMB protocols.
Organizations should also implement network-level controls and file content monitoring to address this attack methodology effectively. A tool like Sophos CryptoGuard can identify, block, and roll back encryption activity performed via SMB protocols.
WantToCry relies on weak authentication and internet exposure rather than on software vulnerabilities or malware delivery mechanisms. Extended detection and response (XDR) solutions can identify reconnaissance and brute-force attempts against SMB services, providing early warnings of potential WantToCry operations.