# Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices **[bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/](https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 14, 2020 03:30 AM 5 The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them. Wake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special network packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled tasks when it is powered down. According to a [recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali](https://twitter.com/VK_Intel/status/1216351931020476417) Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'. **Spawning subprocess with 8 Lan argument** ----- When this argument is used, Ryuk will scan the device s ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168." **Checking for private network** If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'. **Ryuk sending a WoL packet** If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share ----- **Mount drive to the Remote C$ Share** If they can mount the share, Ryuk will encrypt that remote computer's drive as well. In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network. "This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments." To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and workstations. This would allow administrators to still benefit from this feature while adding some security to the endpoints. At the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted ransomware attacks. **[Update 1/14/20 11:28 AM: CrowdStrike also has analysis of this feature here.](https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/)** ## Related Articles: [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) [ARP](https://www.bleepingcomputer.com/tag/arp/) [Packet](https://www.bleepingcomputer.com/tag/packet/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ryuk](https://www.bleepingcomputer.com/tag/ryuk/) [Wake-on-LAN](https://www.bleepingcomputer.com/tag/wake-on-lan/) [WoL](https://www.bleepingcomputer.com/tag/wol/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) ----- Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence s area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/windows-7-reaches-end-of-life-tomorrow-what-you-need-to-know/) [Next Article](https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/) ## Comments [navidas73 - 2 years ago](https://www.bleepingcomputer.com/forums/u/1137328/navidas73/) Terrifying how much criminal energy goes into the development of RYUK ransomware. [Alovalovayea - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152126/alovalovayea/) Hello, i've found SEVERAL WAYS to recover Ryuk encrypted files. I would be glad if anyone could give me some sample because it could be useful in finding a way to calculate the key instead of just recovering files. This ransomware is so advanced (in terms of his code and process) that they forgot about some SIMPLE WINDOWS'S ENVIROMENTS things that are helpful in recovering files. ----- [buddy215 - 2 years ago](https://www.bleepingcomputer.com/forums/u/64042/buddy215/) Other than using external backup copies of files encrypted on the computer....what other way have you found for "recovering" encrypted files other than decryting? Inquiring minds want to know. [Alovalovayea - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152126/alovalovayea/) Just to tell you something, working on file history could let you recover everything on a company network. Every workstation can help you decrypt another workstation, but I can't give you details for now. Talking about any other method, would result on helping the hacker team behind ryuk and that's why I want to use my samples (and some more, If can get some) to calculate the key (it's not that difficult understanding how if you analyze the infection through a network sniffer on a sandbox) [Alovalovayea - 2 years ago](https://www.bleepingcomputer.com/forums/u/1152126/alovalovayea/) Sodinokibi (post August 2019 version) successfully decrypted thanks to a Facebook group who submitted samples. Ryuk's taking a bit more time but it's "vulnerable to the same method", could someone send samples? ----- Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----