Skip to content
.ca
sign in
Work being done in the backend.
6 minhigh

WantToCry ransomware remotely encrypts files

WantToCry is a remote ransomware operation that targets internet-exposed SMB services using brute-force authentication. Instead of deploying local malware, attackers exfiltrate files, encrypt them on their own infrastructure, and write the encrypted versions back to the victim's network via authenticated SMB sessions, effectively bypassing traditional process-based EDR detections.

Sens:ImmediateConf:highAnalyzed:2026-05-19Google

Authors: Sophos Counter Threat Unit Research Team

ActorsWantToCryNetSupport RATLockBitQilinBlackCat
SMBRansomwareWantToCryRemote Encryption

Source:Sophos

IOCs · 8
  • filename
    !Want_To_Cry.txtRansom note dropped on affected systems via SMB.
  • ip
    109[.]69[.]58[.]213Germany-based attacker-controlled IP used to establish SMB sessions for remote encryption.
  • ip
    185[.]189[.]13[.]56Russia-based attacker-controlled IP used to establish SMB sessions for remote encryption.
  • ip
    185[.]200[.]191[.]37US-based attacker-controlled IP used to establish SMB sessions for remote encryption.
  • ip
    194[.]36[.]179[.]18Singapore-based attacker-controlled IP used to establish SMB sessions for remote encryption.
  • ip
    194[.]36[.]179[.]30Singapore-based attacker-controlled IP used to establish SMB sessions for remote encryption.
  • ip
    87[.]225[.]105[.]217Russia-based IP address used for reconnaissance and SMB brute-force authentication attempts.
  • url
    hxxps://t[.]me/want_to_cry_teamTelegram account provided in the ransom note for victim communication.

Detection / HunterGoogle

What Happened

Attackers are scanning the internet for exposed file-sharing ports (SMB) to break into networks using weak passwords. Once inside, they download the victim's files, encrypt them on their own computers, and replace the original files with the locked versions, demanding a ransom. This matters because it bypasses many traditional security tools that look for malicious programs running on the computer. Organizations should immediately block internet access to SMB ports (139 and 445) and enforce strong passwords.

Key Takeaways

  • WantToCry ransomware operates entirely via remote SMB sessions without executing local malware on the victim's machine.
  • Attackers identify targets by scanning for internet-exposed SMB ports (TCP 139 and 445) and brute-forcing weak credentials.
  • Files are exfiltrated, encrypted on attacker-controlled infrastructure, and rewritten to the victim's system.
  • Traditional process-based EDR solutions may struggle to detect this activity as it relies on legitimate SMB file operations.

Affected Systems

  • Systems with internet-exposed SMB services (TCP ports 139, 445)

Attack Chain

Attackers scan the internet for exposed SMB ports (TCP 139 and 445) and use brute-force techniques to gain access via weak credentials. Once authenticated, they establish an SMB session to exfiltrate files to attacker-controlled infrastructure. The files are encrypted remotely and then written back to the victim's system over the same SMB session, appending the .want_to_cry extension and dropping a ransom note. No local malware is executed, and no post-intrusion lateral movement occurs.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but notes that file content monitoring tools like Sophos CryptoGuard can detect the remote encryption behavior.

Detection Engineering Assessment

EDR Visibility: Low — WantToCry operates entirely via remote SMB sessions without executing local malicious processes, bypassing traditional process-based EDR detections. Network Visibility: High — The attack relies on external IPs establishing SMB sessions and performing sustained read/write operations, which is highly visible in network traffic. Detection Difficulty: Moderate — While process-based detection fails, monitoring for external IPs authenticating to SMB and performing mass file modifications or identifying the specific ransom note filenames is straightforward if file and network monitoring are in place.

Required Log Sources

  • Windows Security Event Log (Event ID 4624, 5140, 5145)
  • Network flow logs
  • Firewall logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for external IP addresses successfully authenticating to internal SMB services (TCP 139/445) followed by high volumes of file read/write operations.Network flow logs, Windows Security Event Logs (4624, 5145)Exfiltration/ImpactLow if external SMB is blocked; Medium if remote workers legitimately use exposed SMB.
Consider hunting for the creation of files named '!Want_To_Cry.txt' or files with the '.want_to_cry' extension across network shares.File System monitoring, EDR file creation eventsImpactLow
Consider hunting for SMB connections originating from the specific attacker computer names WIN-J9D866ESIJ2 or WIN-LIVFRVQFMKO.Windows Security Event Logs (5140, 5145)Initial AccessLow to Medium (these are default VM names from a legitimate provider, but highly suspicious in external SMB auth).

Control Gaps

  • Process-centric EDR solutions
  • Lack of external firewall blocking for SMB

Key Behavioral Indicators

  • Sustained SMB read/write operations from external IPs
  • Mass file renaming over SMB
  • Creation of !Want_To_Cry.txt

False Positive Assessment

  • Low. The specific IOCs (IPs, ransom note names, extensions) are highly indicative of WantToCry activity. However, the attacker computer names (WIN-J9D866ESIJ2, WIN-LIVFRVQFMKO) are generated by a legitimate VM provider (ISPsystem) and could theoretically appear in non-malicious contexts, though their presence in external SMB connections is highly suspicious.

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider blocking inbound SMB traffic (TCP ports 139 and 445) at all internet-facing firewalls.
  • Identify and isolate any systems that currently have exposed SMB services to the internet.

Infrastructure Hardening

  • Evaluate disabling the SMBv1 protocol across the organization.
  • Consider removing 'guest' or anonymous SMB access on all network shares.
  • Ensure that backup infrastructure cannot be accessed via SMB protocols.

User Protection

  • Enforce strong, complex passwords and multi-factor authentication (MFA) for all remote access services.
  • Evaluate whether file content monitoring or anti-ransomware tools can be deployed to detect remote encryption activity.

Security Awareness

  • Educate IT and network administrators on the severe risks of exposing internal file-sharing protocols directly to the internet.

MITRE ATT&CK Mapping

  • T1133 - External Remote Services
  • T1110 - Brute Force
  • T1048 - Exfiltration Over Alternative Protocol
  • T1486 - Data Encrypted for Impact

Additional IOCs

  • File Paths:
    • C:\Users\Public\Videos\!want_to_cry.txt - Ransom note path observed in detection logs.
    • C:\Users\Public\Documents\!want_to_cry.txt - Ransom note path observed in detection logs.
    • C:\Users\Public\Pictures\!want_to_cry.txt - Ransom note path observed in detection logs.
    • C:\Users\Public\!want_to_cry.txt - Ransom note path observed in detection logs.
    • C:\Users\Public\Music\!want_to_cry.txt - Ransom note path observed in detection logs.
  • Other:
    • WIN-J9D866ESIJ2 - Attacker computer name (Windows Server 2016) used during malicious SMB sessions.
    • WIN-LIVFRVQFMKO - Attacker computer name (Windows Server 2019) used during malicious SMB sessions.
    • 1D9E589C757304F688514280E3ADBE2E12C5F46DE25A01EBBAAB17896D0BAA59BFCEE0D493A6 - Tox ID provided in the ransom note for victim communication.
    • .want_to_cry - File extension appended to encrypted files.

Related