The WantToCry ransomware group has been targeting organizations by exploiting misconfigured Server Message Block (SMB) services to remotely encrypt files without deploying malware on the victim’s systems. This method allows attackers to operate stealthily, making detection and mitigation more challenging.
According to Cyber Security News, the attackers scan the internet for systems with open SMB ports, utilizing tools like Shodan and Censys to identify vulnerable targets. Once a system is identified, they perform automated brute-force attacks against the exposed SMB service, aiming to gain access through weak or compromised credentials.
Upon successful access, the attackers exfiltrate the victim’s files via the authenticated SMB session to their own infrastructure, encrypt them remotely, and then return the encrypted versions to the original locations. This process leaves no malware footprint on the victim’s machine, complicating detection efforts.
Encrypted files are renamed with a ‘.want_to_cry’ extension, and a ransom note titled ‘!Want_To_Cry.txt’ is placed in affected directories, demanding Bitcoin payments. Ransom demands have ranged from $400 to $1,800 per victim, with attackers offering to decrypt up to three files as proof before payment.
As of January 7, 2026, over 1.5 million devices had SMB ports (TCP 139 and 445) exposed to the internet, highlighting the widespread risk. Organizations are advised to disable unnecessary SMB services, enforce strong authentication measures, restrict public access to SMB ports, regularly update and patch systems, implement network segmentation, and deploy advanced monitoring tools to detect and respond to suspicious activities.
The WantToCry ransomware’s exploitation of SMB vulnerabilities underscores the critical need for organizations to prioritize cybersecurity hygiene. Simple misconfigurations can have far-reaching consequences, enabling attackers to bypass defenses and inflict significant damage. As ransomware attacks grow in sophistication, securing SMB services is no longer optional—it’s a necessity. By adopting proactive security measures and fostering a culture of vigilance, organizations can protect their data, operations, and reputation from the ever-present threat of ransomware.
Source: Cyber Security News
