Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
By Lawrence Abrams
Published: 2020-01-14 · Archived: 2026-04-05 21:09:46 UTC
The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have
greater success encrypting them.
Wake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special
network packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled
tasks when it is powered down.
According to a recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali Kremez, when the malware is
executed it will spawn subprocesses with the argument '8 LAN'.
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
Page 1 of 4

0:00
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
Page 2 of 4

Visit Advertiser websiteGO TO PAGE
Spawning subprocess with 8 Lan argument
When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and
their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and
"192.168." 
Checking for private network
If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address
to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'.
Ryuk sending a WoL packet
If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.
Mount drive to the Remote C$ Share
If they can mount the share, Ryuk will encrypt that remote computer's drive as well.
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
Page 3 of 4

In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a
compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.
"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by
reaching the machines via WOL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and
demonstrates their experience dealing with large corporate environments."
To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and
workstations.
This would allow administrators to still benefit from this feature while adding some security to the endpoints. 
At the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted
ransomware attacks.
Update 1/14/20 11:28 AM: CrowdStrike also has analysis of this feature here.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
Page 4 of 4