Ryuk ransomware
Image: Images: Depositphotos

Ryuk ransomware has been operating since August 2018 and has targeted several large organizations, demanding a high ransom. Now, the authors behind it have made it more lethal by imparting new traits to it. As reported by Bleeping Computer, Ryuk ransomware, now, uses Wake-on-Lan feature to turn on switched off devices on a compromised network.

Wake-on-Lan is a hardware feature that turns on an offline device in a network by sending a network message. The feature is typically used by network administrators to push updates or complete already scheduled tasks when the device powers on.

An analysis by Head of SentinelLabs’ Vitali Kremez, suggests that when Ryuk ransomware is executed, it spawns subprocesses with the argument ‘8 Lan’.

Ryuk ransomware spawn 8lan
Spawning subprocess with 8 Lan argument [Source: Bleeping Computer]
Upon execution of 8 Lan argument, the malware scans the targeted device’s Address Resolution Protocol (ARP) table which stores information about IP addresses and the corresponding MAC address. It checks whether the entries are related to private IP address subnets of “10.”, “172.16”, and “192.168”.

If the result is positive, Ryuk wakes up the device by sending a Wake-on-Lan (WoL) packet to the MAC address. Once the WoL request is successful, Ryuk mounts the device’s C$ administrative share. If the share is successfully mounted, Ryuk encrypts the computer’s drive.

Ryuk Ransomware WoL packet
Ryuk sending a WoL packet [Source: Bleeping Computer]
Speaking to Bleeping Computer, Vitali Kremez says: “This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP. It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments.”

To evade an attack from Ryuk ransomware, network administrators are advised to allow Wake-on-Lan packets only from authorized devices.