[Heads-up] The Evil Ryuk Ransomware Strain Now Uses Wake-on-Lan To Encrypt Your *Offline* Devices

AdobeStock_53420150You must have heard of RYUK before. It's one of the most nasty, evil ransomware strains attributed to the North Korean state sponsored cyber criminals. They are an APT—Advanced Persistent Threat— and go in silent, live undetected on your network for months, and then one very bad day they encrypt all devices on the network to create the maximum amount of disruption and downtime.

And they now have a new "feature"...

Ryuk uses the Wake-on-Lan feature to turn on powered-off devices on a large compromised network to have greater success encrypting them.

Wake-on-Lan is a hardware feature that allows a powered-down device to be woken up, or powered on, by sending a special network packet to it. Highly useful for admins who may need to push out updates to a computer or perform scheduled tasks when it is powered down. Also highly useful for evil APTs.

According to a recent analysis of Ryuk by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'.

How It Works

When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."

If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'. If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.

Mount drive to the Remote C$ Share

If they can mount the share, Ryuk will encrypt that remote computer's drive as well.

In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.

"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments."

How Vulnerable Is Your Network When An APT Has Penetrated Your Systems?

RanSim With Cryptominer Simulation

Want to find out if your endpoint security software will block ransomware strains like Ryuk?

Bad guys are constantly coming out with new malware versions to evade detection. That’s why we’ve updated our Ransomware Simulated tool “RanSim” to include a new cryptomining scenario!

This new cryptomining scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.

Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats.

RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:

  • 100% harmless simulation of real ransomware and cryptomining infection scenarios
  • Does not use any of your own files
  • Tests 14 different types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!

This is a complementary tool and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

Download RanSim

Don't like to click on redirected buttons? Copy and paste this link into your browser: 


Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews