[Heads-up] The Evil Ryuk Ransomware Strain Now Uses Wake-on-Lan To Encrypt Your *Offline* Devices


You must have heard of RYUK before. It’s one of the most nasty, evil ransomware strains attributed to the North Korean state sponsored cyber criminals. They are an APT—Advanced Persistent Threat— and go in silent, live undetected on your network for months, and then one very bad day they encrypt all devices on the network to create the maximum amount of disruption and downtime.

And they now have a new “feature”…

Ryuk uses the Wake-on-Lan feature to turn on powered-off devices on a large compromised network to have greater success encrypting them.

Wake-on-Lan is a hardware feature that allows a powered-down device to be woken up, or powered on, by sending a special network packet to it. Highly useful for admins who may need to push out updates to a computer or perform scheduled tasks when it is powered down. Also highly useful for evil APTs.

According to a recent analysis of Ryuk by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument ‘8 LAN’.

How It Works

When this argument is used, Ryuk will scan the device’s ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of “10.”, “172.16.”, and “192.168.”

If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device’s MAC address to have it power up. This WoL request comes in the form of a ‘magic packet’ containing ‘FF FF FF FF FF FF FF FF’. If the WoL request was successful, Ryuk will then attempt to mount the remote device’s C$ administrative share.Mount drive to the Remote C$ Share

If they can mount the share, Ryuk will encrypt that remote computer’s drive as well.

In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk’s tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator’s skill traversing a corporate network.

“This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP,” Kremez told BleepingComputer. “It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments.”

How Vulnerable Is Your Network When An APT Has Penetrated Your Systems?

RanSim With Cryptominer Simulation

Want to find out if your endpoint security software will block ransomware strains like Ryuk?

Bad guys are constantly coming out with new malware versions to evade detection. That’s why we’ve updated our Ransomware Simulated tool “RanSim” to include a new cryptomining scenario!

This new cryptomining scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.

Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats.

RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here’s how RanSim works:

  • 100% harmless simulation of real ransomware and cryptomining infection scenarios
  • Does not use any of your own files
  • Tests 14 different types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!

This is a complementary tool and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

Don’t like to click on redirected buttons? Copy and paste this link into your browser: 


Original article written by:  Stu Sjouwerman

At Raptor IT Consultants, our goal is providing a full service, one stop approach towards managed IT services, that is scalable & affordable, with a dedicated IT support helpdesk that understands your time is valuable, and offering a comprehensive experience you can rely on for all your business technology needs in the Sacramento region.

Did you know that 60% of spoofed email attacks do not include a malicious link or attachment? When crafted well, most users are likely to fall victim to a highly targeted phishing attack. Many of your users think they are safe as long as they don’t click on something in an email, but through the use of a social engineering tactic called “pretexting”, the bad guys establish trust with your key users by pretending to be someone they know in order to carry out a damaging attack. These types of attacks usually do not have links or attachments and simply trick your users into replying to the email and performing actions that lead to monetary or data loss for your organization. Identify how many users take the bait and reply before the bad guys do with our comprehensive service and train your users to protect your business network.

Leave a Reply

Your email address will not be published. Required fields are marked *