You must have heard of RYUK before. It’s one of the most nasty, evil ransomware strains attributed to the North Korean state sponsored cyber criminals. They are an APT—Advanced Persistent Threat— and go in silent, live undetected on your network for months, and then one very bad day they encrypt all devices on the network to create the maximum amount of disruption and downtime.
And they now have a new “feature”…
Ryuk uses the Wake-on-Lan feature to turn on powered-off devices on a large compromised network to have greater success encrypting them.
Wake-on-Lan is a hardware feature that allows a powered-down device to be woken up, or powered on, by sending a special network packet to it. Highly useful for admins who may need to push out updates to a computer or perform scheduled tasks when it is powered down. Also highly useful for evil APTs.
According to a recent analysis of Ryuk by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument ‘8 LAN’.
How It Works
When this argument is used, Ryuk will scan the device’s ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of “10.”, “172.16.”, and “192.168.”
If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device’s MAC address to have it power up. This WoL request comes in the form of a ‘magic packet’ containing ‘FF FF FF FF FF FF FF FF’. If the WoL request was successful, Ryuk will then attempt to mount the remote device’s C$ administrative share.
Mount drive to the Remote C$ Share
If they can mount the share, Ryuk will encrypt that remote computer’s drive as well.
In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk’s tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator’s skill traversing a corporate network.
“This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP,” Kremez told BleepingComputer. “It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments.”
** Optrics Inc. is an Authorized KnowBe4 partner
Find out how affordable new-school security awareness training is for your organization. Get a quote now.
The original article can be found here: