{ "id": "73becf57-4431-41a5-8be1-3983ea30452c", "created_at": "2026-04-06T00:16:42.277727Z", "updated_at": "2026-04-10T13:12:35.767835Z", "deleted_at": null, "sha1_hash": "6eedcc836c4aeec23f2e1bcd4a3923aeeec51846", "title": "WIZARD SPIDER Adds New Features to Ryuk | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 331909, "plain_text": "WIZARD SPIDER Adds New Features to Ryuk | CrowdStrike\r\nBy Alexander Hanel and Brett Stone-Gross\r\nArchived: 2026-04-02 12:24:35 UTC\r\nCrowdStrike® Intelligence analyzed variants of Ryuk (a ransomware family distributed by WIZARD SPIDER)\r\nwith new functionality for identifying and encrypting files on hosts in a local area network (LAN). These features\r\ntarget systems that have recently been placed in a standby power state, as well as online systems on the LAN.\r\nMagic Packet\r\nThe first new Ryuk feature attempts to wake LAN hosts that are in a standby power state by sending them a Wake-on-LAN (WoL) magic packet. The affected machine must support WoL, and its network card must have the\r\nsetting configured in the BIOS. To identify machines on the LAN, Ryuk reads entries in the host Address\r\nResolution Protocol (ARP) cache; in addition, for each address in the cache, it sends a WoL magic packet. The\r\npacket is sent over a User Datagram Protocol (UDP) socket with the socket option SO_BROADCAST using\r\ndestination port 7 . The WoL magic packet starts with FF FF FF FF FF FF , followed by the target’s computer\r\nMAC address. An example WoL packet is highlighted in blue in Figure 1.\r\nFigure 1. Ryuk Wake-on-LAN Packet Example\r\nUDP packets observed being sent specifically to destination port 7 during a ransomware incident may be an\r\nindication that Ryuk is present. This Wake-On-LAN implementation is somewhat naive, because the default ARP\r\ncache timeout is short-lived on modern versions of Windows. Thus, the number of systems that may be impacted\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/\r\nPage 1 of 2\n\nby this current implementation is likely to be limited, since only systems that have recently been put to sleep\r\nwould still have their MAC address present in a remote system’s ARP cache.\r\nARP Ping Scanner\r\nThe second Ryuk feature uses ARP ping scanning to identify hosts on the LAN. To identify the proper subnet to\r\nscan, it checks each entry in the ARP cache to see whether it contains an IP address with the substrings “ 10. ,\"\r\n\" 172.16. ,\" or \" 192.168 .” in it. If an IP address contains one of these strings, it starts sending ARP and PING\r\nrequests to all IP addresses in the Class C network starting with that string value. For example, if the ARP cache\r\nentry contained the IP address 192.168.240\u003c.\u003e57, it would start scanning at 192.168.240\u003c.\u003e1 and increment\r\nthe last octet by 1 until reaching the IP address 192.168.240\u003c.\u003e254 . If a host responds, Ryuk attempts to mount it\r\nas a network drive, using Server Message Block (SMB), and encrypt its contents.\r\nConclusion\r\nBy attempting to wake systems and using ARP ping scanning combined with network drive mounting, WIZARD\r\nSPIDER is seeking to maximize the number of systems that can be impacted by Ryuk’s file encryption. The Wake-on-LAN feature is a novel technique that demonstrates WIZARD SPIDER’s continued focus on increasing the\r\nmonetization of infections via ransomware. CrowdStrike Intelligence will continue to monitor any further\r\ndevelopment to Ryuk by WIZARD SPIDER. The CrowdStrike Falcon® endpoint protection platform detects and\r\nprevents against Ryuk. For Falcon endpoint customers, prevention settings should be set at a minimum to the\r\nfollowing:\r\nNext-Gen Antivirus: Cloud/Sensor Machine Learning: Set \"Prevention\" slider to \"Moderate\"\r\nMalware Protection: Execution Blocking: Toggle \"Prevent Suspicious Processes\" to \"Enabled\"\r\nAdd any hashes to your custom blacklist for added protection\r\nSHA256 HASH BUILD TIME\r\n74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f 2019-10-09 22:09:27\r\n7dc3fc208c41c946ac8238405fce25e04f0c2a7a9e1d2701986217bd2445487a 2019-10-10 09:18:33\r\nAdditional Resources\r\nFor more information on how to incorporate intelligence on dangerous threat actors into your security\r\nstrategy, please visit the CrowdStrike Falcon® Intelligence product page.\r\nRead the 2020 Global Threat Report.\r\nRead the 2019 Falcon OverWatch Report: “Observations From the Front Lines of Threat Hunting.”\r\nLearn more about the CrowdStrike Falcon® Platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/" ], "report_names": [ "wizard-spider-adds-new-feature-to-ryuk-ransomware" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434602, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eedcc836c4aeec23f2e1bcd4a3923aeeec51846.pdf", "text": "https://archive.orkl.eu/6eedcc836c4aeec23f2e1bcd4a3923aeeec51846.txt", "img": "https://archive.orkl.eu/6eedcc836c4aeec23f2e1bcd4a3923aeeec51846.jpg" } }