Ddos 
CryptoGuard detection for a WantToCry incident
A newly analyzed ransomware campaign is turning traditional endpoint defense playbooks upside down by executing its entire encryption loop without running a single line of local malware code.
An in-depth investigation by the Sophos Counter Threat Unit Research Team has peeled back the layers on WantToCry. Posing a distinct challenge to traditional Endpoint Detection and Response (EDR) platforms, the threat actors exploit internet-exposed Server Message Block (SMB) file-sharing services to silently extract, encrypt, and overwrite targeted network data from afar.
As the Sophos Counter Threat Unit team emphasizes in their core intelligence briefing:
“The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.”
The moniker chosen by the attackers is a deliberate nod to the infamous WannaCry ransomware worm that devastated global networks in 2017.
However, Sophos analysts note that the operational baseline of the two campaigns could not be more different. Unlike its worm-like predecessor, which aggressively weaponized core code vulnerabilities to self-propagate, WantToCry relies strictly on scanning and authentication brute-forcing to carve its entry paths.
“While WantToCry is not self-propagating and there is no evidence to suggest that the two operations are connected, organizations with internet-exposed SMB services are similarly at risk.”
The attack sequence bypasses typical post-intrusion network positioning, moving from initial access to data encryption in a tightly closed loop.
- Reconnaissance: The threat actors utilize mass-internet scanning infrastructure to discover hosts listening publicly on SMB ports TCP/139 and TCP/445.
- Brute-Forcing: Automated scripts relentlessly target these exposed ports, testing default or weak user credentials until they secure an authorized network foothold.
- The Remote Swap: Once valid credentials are authenticated, a separate network of attacker-controlled systems takes over the active SMB session. The remote servers systematically issue file-read requests to pull documents over the network, encrypt them locally on the attacker’s own hardware, and use file-write commands to save the unreadable versions back onto the victim’s storage drive.
Because no untrusted binaries are executed, no malicious registry edits are created, and no unexpected system processes run locally on the target server, local anti-malware tools remain entirely blind to the destruction occurring across the network file shares.
Sophos tracked the campaign’s network footprint across five separate, globally distributed IP addresses spanning Germany, Russia, the United States, and Singapore.
The forensic investigation identified two recurring computer names driving the automated authenticated file-write operations: WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO. Analysts determined that these boxes originate as virtual machines leased out by ISPsystem, a legitimate IT infrastructure provider, which have subsequently been co-opted or re-leased by malicious bulletproof hosting brokers.
Once the file swap loop concludes, the malware drops a ransom note—directing victims to temporary qTox or Telegram communication channels to get Bitcoin wallet details. Interestingly, the ransom demands remain incredibly low, typically sitting flat at $600 per incident. In contrast to multi-million dollar corporate extortions, Sophos notes that this pricing directly “reflects the limited scope of the ransomware deployment,” as encryption is usually isolated strictly to the singular device exposing its SMB shares to the wider internet.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
