The cyberthreat landscape is undergoing a significant architectural transition. Rather than deploying noisy local malware executables, advanced threat actors are increasingly leveraging legitimate network protocols to orchestrate remote, highly evasive campaigns. A primary example of this modern threat design is the WantToCry ransomware family.
According to detailed technical investigations published by Sophos Counter Threat Unit Research Team, WantToCry exploits internet-exposed Server Message Block (SMB) network ports. By operating entirely within remote authenticated sessions, the malware exfiltrates files, encrypts them on attacker-controlled command-and-control (C2) infrastructure, and writes the encrypted data back to the victim’s storage.
Because no malicious code runs locally on the targeted machine, conventional Endpoint Detection and Response (EDR) agents and local antivirus solutions often register zero behavioral anomalies. This technical analysis breaks down the anatomy of the WantToCry remote encryption loop, compares it to legacy threats like WannaCry, and details how Visuality Systems mitigates these protocol-level vulnerabilities.
Anatomy of the WantToCry Remote Encryption Loop
Unlike traditional ransomware strains that execute payloads directly on the host file system, WantToCry relies on a complete off-system execution loop. This architectural choice minimizes the local forensic footprint.
1. Reconnaissance and Public Scanning
The attack begins with wide-scale automated scanning targeting file-sharing interfaces. Threat actors actively scan public IPv4 blocks for exposed SMB services on TCP port 445 and TCP port 139. To highlight the scale of this vulnerability, a Shodan scan cited by Sophos revealed over 1.5 million exposed SMB ports globally, with more than 600,000 exposures located in the United States alone.
2. Automated Authentication Abuse
Once an exposed port is found, attackers do not rely on complex software exploits. Instead, they launch automated brute-force credential attacks, utilizing a database of over one million passwords to target systems running default, weak, or reused credentials.
3. Legitimate File Exfiltration
Upon successful authentication, the attacker establishes a legitimate, authenticated SMB session. Standard network read commands are initiated to exfiltrate documents and databases directly from exposed shares and Network-Attached Storage (NAS) devices. While the data is stolen, Sophos researchers note there is no current evidence that these files are used in public “double-extortion” leak schemes.
4. Out-of-Band Encryption & Destination Writeback
The core of the evasion occurs on the attacker’s C2 servers. The stolen files are processed and encrypted externally. After remote encryption, the attackers execute authenticated SMB write transactions back across the same network session, overwriting the original files with the encrypted payloads.
The files are renamed with the .want_to_cry extension, and a ransom note titled !want_to_cry.txt is written to every affected directory. The note directs the victim to establish contact via secure qTox or Telegram channels. The demand typically ranges between $300 and $1,800 in Bitcoin.
Sophos traced the attacking infrastructure to several distinct IP addresses, locating brute-forcing attempts to Russian hosting providers (185.189.13.56) and authenticated writeback sessions to geolocated virtual machines in Germany, the USA, and Singapore.
Technical Paradigm Shift: WannaCry vs. WantToCry
While the name WantToCry clearly references the infamous 2017 WannaCry global campaign, their architectural attack patterns represent two entirely different protocol exploitation models.
Vector | WannaCry (2017) | WantToCry (2024–2026) |
Primary Entry | Exploits unpatched software vulnerabilities (EternalBlue) | Automated credential brute-forcing targeting exposed services |
Protocol Dialect | Restricted to legacy and obsolete SMBv1 (CIFS) | Agnostic; targets any SMB session (including SMB2/SMB3) with weak credentials |
Execution Path | Drops and runs malicious payloads locally on the victim system | Out-of-band remote execution; no local ransomware process runs on target host |
File Modification | Local Windows File system APIs modify files in place | Authenticated network read/write transactions exfiltrate and overwrite |
Propagation | Self-propagating network worm | Direct host-to-host or client-server target access |
Detection Surface | High; easily identified by endpoint antivirus and EDR | Low; virtually invisible to EDR because only standard network traffic is logged |
Protocol-Level Hardening and Prevention Strategies
Traditional signature-based endpoint defenses are structurally bypassed by remote network encryption. Mitigating this threat requires proactive network-protocol-level hardening.
Perimeter De-exposure and Port Blocking
Publicly exposing file-sharing ports to the internet is a severe vulnerability. Firewalls must block all incoming traffic to TCP port 445 and TCP port 139 at the perimeter. Remote access to shared resources must be restricted strictly to authenticated Virtual Private Networks (VPN) or Zero Trust Network Access (ZTNA) gateways.
Authentication and Access Controls
Block all guest or anonymous SMB access. Implement strict account lockout policies to neutralize brute-force dictionary attacks.
Securing Infrastructure with Visuality Systems
As the trusted SMB protocol experts, Visuality Systems provides commercial, validated software stacks that secure files in transit and effectively mitigate the network vectors exploited by WantToCry.
Eliminating the TCP Port 445 Attack Surface with SMB over QUIC
To mitigate the public scanning and reconnaissance phases of campaigns like WantToCry, Visuality Systems provides an integrated SMB over QUIC add-on for both YNQ and jNQ, alongside advanced configuration hardening.
By replacing the standard TCP port 445 transport layer with UDP port 443 (utilizing TLS 1.3 for handshake encryption), organizations achieve:
- Zero Standard Scanning Profile – public Shodan or Censys scans searching for open file-sharing ports register zero exposure, as standard TCP port 445 is completely closed to the internet.
- Obscurity via Alternative Ports – for legacy or hybrid environments where QUIC cannot be deployed immediately, our stacks support custom/alternative port mapping. Shifting SMB traffic away from default ports disrupts automated brute-force scripts that target standard network entry points.
- Defeating Anonymous Lateral Movement – WantToCry and similar strains frequently target weak or anonymous access points. By explicitly disabling guest access and enforcing strict, authenticated user-level permissions, the system blocks unauthorized network discovery and prevents attackers from mapping directory structures without valid, high-privilege credentials.
- Secure Remote Access – QUIC establishes an end-to-end encrypted tunnel natively. This allows remote systems to access files securely over the internet with robust authentication, completely bypassing the configuration overhead, vulnerability surface, and latency of a traditional VPN.
Action and Consultation Initiative
Organizations are invited to consult with our engineering team:
- Request a Free Trial – evaluate fully licensed versions of the YNQ or jNQ commercial libraries within your development environments.
- Technical Consultations – design a secure protocol migration roadmap with our team of specialists.
- Contact Us – reach the engineering desk directly via email at [email protected].
Lilia Wasserman, VP R&D, Visuality Systems
