A ransomware campaign has been quietly encrypting files on victims’ machines without ever dropping or executing a single binary on those systems — exploiting exposed SMB ports and weak credentials to pull data off-device, encrypt it remotely, and push it back before the victim notices anything is wrong.
WantToCry: Fileless Encryption via Exposed SMB
Sophos Counter Threat Unit published an analysis of WantToCry, an active ransomware campaign that operates by scanning for internet-exposed SMB ports — TCP 139 and 445 — and brute-forcing them using weak or default credentials. Once authenticated, WantToCry uses the SMB session to pull files to remote infrastructure, encrypt them there, and push the encrypted versions back to the victim’s system. No malware binary is dropped or executed on the victim’s machine at any stage of the attack.
The approach is deliberately constructed to defeat endpoint detection tools. EDR platforms that depend on process analysis and file-based signatures have nothing to analyze: there is no local process to monitor, no executable to scan, and no behavioral indicator to flag. The encryption work happens entirely on infrastructure the attackers control.
The .want_to_cry Extension and Contact Channels
Encrypted files receive the .want_to_cry file extension. Victims find a ransom note titled !Want_To_Cry.txt with instructions to contact the attackers via qTox and Telegram. Ransom demands range from $400 to $1,800 per victim, with a typical demand of around $600 — a deliberately low price point compared to enterprise-targeted ransomware groups, likely aimed at volume rather than high-value targets.
WantToCry Is Not WannaCry
Despite sharing a name and focusing on SMB as an attack vector, WantToCry and the 2017 WannaCry worm are operationally distinct. WannaCry was a self-propagating worm that exploited the EternalBlue vulnerability to spread automatically across networks. WantToCry uses manual, credential-based brute-force attacks. It does not self-propagate, does not exploit a software vulnerability in SMB, and does not move laterally through networks on its own. The approach is slower and quieter, prioritizing stealth over speed.
The Attack Surface: 1.5 Million Exposed SMB Devices
As of January 2026, Sophos CTU cited Shodan telemetry showing over 1.5 million devices with SMB port TCP 445 exposed to the public internet. WantToCry’s attack infrastructure is distributed across Russia, Germany, Singapore, and the United States. The campaign’s scan-and-brute-force methodology means that any device in that pool running weak or default SMB credentials is a viable target.
The fileless execution model creates a specific detection gap. Organizations that rely on EDR as the primary line of defense against ransomware may have no visibility into a WantToCry intrusion until encrypted files have already been pushed back to the victim’s file system. At that stage, the attacker’s infrastructure has already disconnected, leaving only the encrypted files and the ransom note behind.
