{
	"id": "0616d6ec-2d79-4c38-97c0-dff489124e01",
	"created_at": "2026-04-06T00:09:06.401122Z",
	"updated_at": "2026-04-10T13:13:00.427807Z",
	"deleted_at": null,
	"sha1_hash": "e4993c28610d5a6caf539615625a06edc54908e0",
	"title": "Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 922515,
	"plain_text": "Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices\r\nBy Lawrence Abrams\r\nPublished: 2020-01-14 · Archived: 2026-04-05 21:09:46 UTC\r\nThe Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have\r\ngreater success encrypting them.\r\nWake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special\r\nnetwork packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled\r\ntasks when it is powered down.\r\nAccording to a recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali Kremez, when the malware is\r\nexecuted it will spawn subprocesses with the argument '8 LAN'.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSpawning subprocess with 8 Lan argument\r\nWhen this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and\r\ntheir associated mac addresses, and check if the entries are part of the private IP address subnets of \"10.\", \"172.16.\", and\r\n\"192.168.\" \r\nChecking for private network\r\nIf the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address\r\nto have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'.\r\nRyuk sending a WoL packet\r\nIf the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.\r\nMount drive to the Remote C$ Share\r\nIf they can mount the share, Ryuk will encrypt that remote computer's drive as well.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/\r\nPage 3 of 4\n\nIn conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a\r\ncompromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.\r\n\"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by\r\nreaching the machines via WOL \u0026 ARP,\" Kremez told BleepingComputer. \"It allows for more reach and less isolation and\r\ndemonstrates their experience dealing with large corporate environments.\"\r\nTo mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and\r\nworkstations.\r\nThis would allow administrators to still benefit from this feature while adding some security to the endpoints. \r\nAt the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted\r\nransomware attacks.\r\nUpdate 1/14/20 11:28 AM: CrowdStrike also has analysis of this feature here.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/"
	],
	"report_names": [
		"ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4993c28610d5a6caf539615625a06edc54908e0.pdf",
		"text": "https://archive.orkl.eu/e4993c28610d5a6caf539615625a06edc54908e0.txt",
		"img": "https://archive.orkl.eu/e4993c28610d5a6caf539615625a06edc54908e0.jpg"
	}
}