WantToCry Ransomware Abuses SMB Services for Remote Encryption

WantToCry ransomware remotely encrypts via exposed SMB services

Understanding WantToCry Ransomware and SMB Services

WantToCry ransomware abuses SMB services to remotely encrypt files, posing a significant threat to organisations. In recent incidents, attackers have leveraged exposed SMB file-sharing protocols to target businesses, encrypting files without ever dropping malware on the victim’s system. This innovative approach signals a shift in ransomware tactics, making detection and prevention more challenging for IT and security teams.

How WantToCry Ransomware Operates

Unlike traditional ransomware strains, WantToCry does not need to install malicious software on the targeted host. Instead, it exploits weaknesses in the Server Message Block (SMB) protocol, which is commonly used for file sharing within business environments. Attackers remotely access exposed SMB services and encrypt files directly over the network, bypassing many endpoint security tools that rely on detecting malware payloads.

  • No malware is dropped on the host, reducing detection opportunities.
  • Encryption occurs remotely via the SMB protocol.
  • Targets organisations with SMB ports exposed to the internet.
  • Shares its name with WannaCry, but operates differently.

This technique is particularly dangerous because it undermines traditional security approaches that focus on identifying and blocking malware files. The threat actors are not dependent on lateral movement or worm-like propagation, as seen in the original WannaCry attack from 2017.

Why SMB Service Exposure Is a Serious Risk

The risk posed by WantToCry ransomware abuses SMB services is substantial. SMB protocol is widely used for file sharing and network communications, but it is also a frequent target for cybercriminals due to its vulnerabilities. Many organisations inadvertently leave SMB ports open to the internet, either through misconfiguration or legacy systems that require remote access.

The Impact of Remote Encryption Attacks

Remote encryption attacks can have devastating consequences. Without any malware present on local systems, endpoint protection tools are often blind to the attack. This increases the likelihood that files will be encrypted and ransoms demanded before the incident is detected. Furthermore, organisations may struggle to trace the source of the compromise, as logs and alerts related to file access over SMB may not be actively monitored.

  • Files can be targeted across multiple hosts simultaneously.
  • Incident response is complicated by lack of malware artefacts.
  • Recovery efforts may be delayed, prolonging business disruption.
  • Ransom payments may become the only perceived solution.

Exposed SMB services are an attractive target for attackers because they often provide access to sensitive data. If not properly secured, a single compromised service can lead to widespread file encryption across an organisation’s network shares.

Key Steps Organisations Must Take to Mitigate SMB Abuse

With the rise of threats like WantToCry ransomware abuses SMB services, organisations must act swiftly to reduce their exposure. Hardening SMB configurations and monitoring network activity are essential to defending against remote encryption attacks.

Best Practices for Securing SMB Services

To protect against ransomware abusing SMB services, organisations should implement the following measures:

  • Restrict SMB access to trusted internal networks only. Avoid exposing SMB ports (typically 445 and 139) to the internet.
  • Regularly review firewall rules and access controls to ensure only authorised users and systems can connect to SMB services.
  • Disable SMBv1, as this older protocol is particularly vulnerable to attacks. Use SMBv2 or SMBv3 with encryption enabled.
  • Apply security patches and updates to SMB services and underlying operating systems promptly.
  • Monitor SMB network traffic for unusual activity, such as large volumes of file access or unexpected connections.
  • Implement robust backup solutions, ensuring backups are stored offline or in immutable formats to prevent ransomware from encrypting them.
  • Educate staff on the risks of remote file access and encourage reporting of suspicious activity.

These steps help reduce the attack surface and increase the likelihood of detecting malicious activity before files are encrypted.

Incident Response and Recovery Considerations

If your organisation suspects it has been targeted by ransomware abusing SMB services, immediate action is required:

  • Isolate affected systems to prevent further encryption.
  • Conduct forensic analysis of SMB logs to identify the source and scope of the attack.
  • Restore files from offline or immutable backups.
  • Review and strengthen SMB access controls.
  • Report incidents to relevant authorities and share threat intelligence with peers.

Organisations should also review their incident response plans to ensure they address threats that operate remotely and without malware payloads.

Summary: Staying Ahead of Ransomware Trends

WantToCry ransomware abuses SMB services to encrypt files remotely, challenging traditional defences and highlighting the need for improved network security. Organisations must prioritise hardening SMB configurations, monitoring network traffic, and maintaining robust backups to guard against this evolving threat. By reducing exposure and staying vigilant, businesses can minimise the risk posed by remote ransomware attacks.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Author
Rob McBride Headshot - CyPro Partner and leading cyber security expert
Rob McBride
Category
Published
May 21 - 2026
Post Tags
  • cyber threats
  • network security
  • ransomware
  • smb
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch

Related News

South Staffordshire Water cyber-attack: ICO fine explained

P2PInfect Botnet Compromises Kubernetes Clusters via Redis

M&S cyber attack recovery boosts business resilience hopes

WantToCry Ransomware Abuses SMB Services for Remote Encryption

GitHub Hacked: Internal Repositories Offered for Sale

Verizon Data Breach Report Reveals Cyber Threat Trends

Retail cyber attack impact: Marks and Spencer case study

Cyber attack fails to dent M&S appeal: retail cyber threats

Malware-Signing Service Disrupted by Microsoft: Ransomware Risk

GitHub hack by TeamPCP: safeguarding software supply chains

Marks & Spencer Cyber Attack Highlights Retail Threats

GitHub hacked: source code auction and cyber threat risks

Arnold Clark 2022 cyber attack: lessons for car dealers

GitHub data breach: What UK SMBs need to know

GitHub breach exposes internal repositories via employee device

Marks and Spencer cyber attack: Impact on profit and retail

Marks & Spencer cyber attack disrupts fashion sales

GitHub Is Hacked: Protect Your Code from Cyber Threats

Exploited Vulnerabilities Overtake as Top Breach Entry Point

Shadow AI surge in the workplace: 4x increase in a year

GitHub Credential Leak Highlights Cybersecurity Risks

Fox Tempest Ransomware Signing Tool Takedown by Microsoft

Microsoft disrupts code-signing cybercrime service

Data breach compensation: PSNI staff paid £40m

Sophos: WantToCry ransomware uses SMB brute force and remote encryption

jlr cyber attack: sector risk and lessons for manufacturers

Zara Data Breach: Phishing Risks for 200,000 Customers

Foxconn Cyber Attack: Ransomware and Data Exfiltration Risks

TanStack supply chain attack exposes OpenAI API keys

Sandworm Hackers Pivot to Critical OT Assets

Chinese Spy Group Shadow-Earth-053 Exploits Exchange Flaws

UK business cyber breach rates: phishing leads the pack

Trellix data breach: source code repository compromised

cPanel 0-Day Authentication Bypass Vulnerability Explained

Cisco firewall vulnerabilities: persistent malware threat

AI-Assisted Credential Harvesting: React2Shell Server Exposed

APT28 DNS Hijacking: How Exploited Routers Enable Credential Theft

Microsoft Defender 0-Day Vulnerability: Privilege Escalation Risk

Fortinet SQL Injection Vulnerability: CISA Warning

New Research Shows the Vulnerability Exploitation Window is Shrinking Fast

BlueHammer Windows Defender Exploit: Understanding the Threat

AI Phishing Attacks: Unravelling the New Age of Deceit

Axios NPM Supply Chain Attack: What Happened and How to Respond

Cisco Firewall 0-Day: What You Need to Know About This Ransomware Threat

Citrix NetScaler Vulnerability: What You Need to Know

Chrome Remote Code Execution: What the Latest Security Update Fixes

Cisco SD-WAN Vulnerabilities: What Professionals Need to Know

Understanding the Microsoft SharePoint Vulnerability and Its Risks

Chrome Remote Code Execution: 8 Vulnerabilities Fixed in Urgent Update

CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call