WantToCry ransomware remotely encrypts files

SophosLabs analyzed 'WantToCry' ransomware operations where attackers scan for internet-exposed SMB (TCP 139/445), brute-force weak or compromised credentials, exfiltrate files over authenticated SMB sessions to attacker infrastructure for remote encryption, and then write encrypted files back to victims while dropping ransom notes; the report includes observed IP addresses and VM hostnames, describes low ransom demands ($400–$1,800, commonly $600), notes detection challenges because there is no local malware execution, and recommends disabling/locking down SMB, blocking inbound SMB, and using file-content monitoring and XDR.