WantToCry
WantToCry is a ransomware strain observed since at least early 2024 and investigated by SophosLabs in late 2025. It targets organizations with internet-exposed Server Message Block (SMB) services, particularly hosts exposing TCP ports 139 and 445. Rather than executing a ransomware binary locally, operators scan for exposed SMB services, brute-force or use weak/compromised credentials, authenticate over SMB, exfiltrate files through the authenticated session to attacker-controlled infrastructure, encrypt the files remotely, and then write the encrypted versions back to the victim system. This remote-encryption workflow reduces host-based detection opportunities because it avoids local malware execution, suspicious processes, registry changes, and dropped binaries on the victim endpoint.
Observed effects include encrypted files being renamed with the .want_to_cry extension and ransom notes named !Want_To_Cry.txt being written to affected directories. Sophos observed ransom note variants directing victims to qTox or to the Telegram account hxxps://t[.]me/want_to_cry_team, offering decryption of up to three test files and payment to a unique Bitcoin wallet. In incidents investigated by Sophos, ransom demands were typically $600, while other publicly disclosed notes ranged from roughly $400 to $1,800. Sophos found no evidence that WantToCry used stolen data for double extortion or name-and-shame extortion, and assessed that attacks often affected only the host exposing SMB rather than broader enterprise environments. Sophos also stated that WantToCry is not self-propagating and found no evidence connecting it to the 2017 WannaCry worm beyond the name similarity.
Sophos linked campaign activity to reconnaissance and brute-force activity from 87[.]225[.]105[.]217 and to encryption-phase infrastructure at 109[.]69[.]58[.]213, 185[.]189[.]13[.]56, 185[.]200[.]191[.]37, 194[.]36[.]179[.]18, and 194[.]36[.]179[.]30, geolocating to Germany, Russia, the United States, and Singapore. Recurrent attacker computer names included WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, which Sophos identified as hostnames associated with virtual machines provisioned via ISPsystem VMmanager. Sophos and third-party reporting also observed those hostnames in other malicious activity, including NetSupport RAT and LockBit, Qilin, and BlackCat/ALPHV ransomware, but Sophos cautioned that hostname reuse alone does not prove the same device or actor. The content further notes that WantToCry activity has abused virtual machines provisioned through ISPsystem and delivered via abuse-tolerant or bulletproof hosting ecosystems at scale.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Because no untrusted binaries are executed, no malicious registry edits are created, and no unexpected system processes run locally on the target server, local anti-malware tools remain entirely blind to the destruction occurring across the network file shares.
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
WantToCry operators identify potential victims by scanning the internet for open SMB ports. The threat actors likely use the same reconnaissance services as legitimate security teams. Services such as Shodan and Censys continuously scan internet-facing systems, creating readily available databases of exposed services that attackers can leverage for target selection.
Lateral Movement
2 techniques
Lateral Movement
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
3 techniques
Exfiltration
The remote servers systematically issue file-read requests to pull documents over the network, encrypt them locally on the attacker’s own hardware...
After successfully authenticating using compromised or weak credentials, the attackers initiated file exfiltration via authenticated SMB sessions. The subsequent encryption process was initiated on the exfiltrated files stored on attacker-controlled infrastructure.
Impact
1 technique
Impact
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that encrypts victim files remotely over authenticated SMB sessions without executing malware locally on the target. The operators scan for internet-exposed SMB services, brute-force weak credentials, read files over the network, encrypt them on attacker-controlled systems, and write the encrypted files back, reducing local detection opportunities.
Ransomware that abuses exposed SMB services for initial access, uses brute-force or compromised credentials, exfiltrates files to attacker-controlled infrastructure for remote encryption, then writes encrypted files back to the victim system. It appends the .want_to_cry extension and drops a !Want_To_Cry.txt ransom note.
Ransomware that targets exposed SMB services, gains authenticated SMB access via brute force or compromised credentials, exfiltrates files for remote encryption on attacker-controlled servers, and writes encrypted files back to victim systems to reduce endpoint detection.
Ransomware that abuses exposed SMB services with weak or compromised credentials to gain access, exfiltrate files to attacker-controlled infrastructure for remote encryption, then writes encrypted files back over SMB and leaves ransom notes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.