WantToCry
WantToCry is a ransomware threat actor and associated ransomware operation observed by SophosLabs in attacks against internet-exposed SMB services. The operators identify potential victims by scanning for open SMB ports 139 and 445 and gain access using weak or compromised SMB credentials rather than exploiting a software vulnerability. After authenticating, they exfiltrate files over authenticated SMB sessions to attacker-controlled infrastructure, encrypt the files remotely, and then write the encrypted files back to the victim system. This approach reduces traditional detection opportunities because it does not require local malware execution or significant post-compromise activity, making process- and signature-based defenses less effective. WantToCry appends the .want_to_cry extension to encrypted files and leaves ransom notes named !Want_To_Cry.txt. Sophos observed two ransom note variants, including victim communication via qTox and the Telegram account t.me/want_to_cry_team. The notes offered decryption of up to three test files and provided a unique Bitcoin wallet for payment. In incidents investigated by Sophos, the ransom demand was $600, while other publicly disclosed notes ranged from $400 to $1,800. Sophos found no evidence that WantToCry used stolen data for double extortion or name-and-shame extortion. Sophos assessed that WantToCry attacks often affect only the host exposing SMB services to the internet, with no evidence of broader post-intrusion positioning or self-propagation. Sophos also stated that WantToCry is not related to the 2017 WannaCry worm beyond the name similarity. Observed infrastructure was segmented across phases of the attack. Reconnaissance and authentication attempts originated from 87.225.105.217, associated with a Russia-based hosting provider, and encryption-phase infrastructure included IPs geolocated to Germany, Russia, the United States, and Singapore. Reporting also noted that WantToCry attacks abused virtual machines provisioned by ISPsystem to host and deliver malicious payloads at scale. Observed computer names included WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, which Sophos said were ISPsystem-issued VM names, but Sophos cautioned that reuse of those names does not prove the same device or same actor across other activity. Known alias in the provided content: wanttocry.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- RU
- DE
- US
- SG
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting ransomware attacks by scanning for internet-exposed SMB services, brute-forcing weak or compromised credentials, exfiltrating files over authenticated SMB sessions to attacker-controlled infrastructure for remote encryption, then writing encrypted files back and leaving ransom notes.
Abuses ISPsystem-provisioned virtual machines (likely via intermediaries/bulletproof hosting) to host and deliver malicious payloads at scale.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.