{
	"id": "53b1d430-e293-45b2-9d17-ff07384d8333",
	"created_at": "2026-04-06T00:20:06.229264Z",
	"updated_at": "2026-04-10T03:20:36.130165Z",
	"deleted_at": null,
	"sha1_hash": "f44018a1f6ac74e9cdc46ad0bbc1f17a87aee1b8",
	"title": "A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1743304,
	"plain_text": "A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk\r\n- Home\r\nBy Goutam Tripathy\r\nPublished: 2020-02-13 · Archived: 2026-04-05 22:03:29 UTC\r\nQuick Heal Security Labs recently came across a variant of Ryuk Ransomware which contains an additional\r\nfeature of identifying and encrypting systems in a Local Area Network (LAN). This sample targets the systems\r\nwhich are present in sleep as well as the online state in the LAN. This sample is packed with a custom packer. The\r\nfinal unpack routine which extracts the payload of Ryuk Ransomware is as shown below.\r\nFig 1:Final Unpack Routine\r\nThe payload contains two stages of the decryption routine. Basically, 1st stage is the input to 2nd stage and starts\r\nwith decrypt “advapi32.dll” obfuscated string and its related function names such as CryptCreateHash,\r\nCryptHashData, CryptDestroyHash to reverse md5 hash of “5d65e9cb5bc2a9b609299d8758d915ab” which is\r\nhardcoded in the file.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 1 of 9\n\nFig 2:De-obfuscation of 1st stage obfuscated string\r\nFig 3:After de-obfuscation\r\nThe reverse md5 lookup of 5d65e9cb5bc2a9b609299d8758d915ab is 1560ddd.During reverse md5 lookup\r\nprocess sample takes high processor utilization, as malware tries to calculate the md5 hash of each value from 0 to\r\n1560ddd and compare it with 5d65e9cb5bc2a9b609299d8758d915ab.\r\n “1560ddd” as an input to the below mathematical function which will generate 2nd\r\n stage key stack and is used to\r\nde-obfuscate all the strings used in payload, while 1st stage key stack already presents in the file.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 2 of 9\n\nFig 4:Generation of Stage-2 key stack\r\nWe have used IDA python to decrypt all obfuscated strings and rename window APIs, function names for better\r\nstatic analysis of payload as shown in below fig.\r\nFig 5:Part of Obfuscated and De-Obfuscate strings\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 3 of 9\n\nFig 6:After Renaming APIs and Obfuscate Strings\r\nExecution Part:\r\nAfter resolution of APIs and their related functions, it will check for the command line argument (CLA) to be “8”\r\nand “LAN”. If not, then it drops its self-copy in the current location with a random filename and executes it by\r\ninvoking “ShellExecuteW”.\r\nFig 7:Child Process Created with CLA “8 LAN”\r\nThe above command-line arguments are an interesting part of the Ryuk variant i.e. Wake on Lan (WoL). It is a\r\nhardware feature that allows a computer to be turned ON or awakened by a network packet. The packet is usually\r\nsent to the target computer by a program executed on a device connected to the same LAN. This feature is used\r\nfor administrative functions that want to push system updates or to execute some scheduled tasks when the system\r\nis awakened. For sending WoL Packets, it collects system ARP (Address Resolution Protocol) table by calling\r\nGetIpNetTable, then extract IPv4 address from ARP structure and then send WoL packets for each valid IP address\r\nentry.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 4 of 9\n\nFig 8:Extracting ARP Table of System\r\nFig 9:Structure Of ARP Table\r\nWe can get the ARP entry of a system by executing “ARP -A” in cmd.After extracting a valid IPv4 address, it will\r\nsend the magic packet to the target host. This packet is sent over the User Datagram Protocol (UDP) socket with\r\nsocket option SO_BROADCAST using destination port 7. The WoL magic packet starts with FF FF FF FF FF FF\r\nfollowed by target’s computer MAC address.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 5 of 9\n\nFig 10:Magic Packet for WoL\r\nFig 11:Magic Packet for WoL Implemented by Ryuk\r\nAfter successful in WoL operation, it tries to mount the remote device c$/administrative share — if it can mount\r\nthe share, it will then proceed to encrypt remote host’s drive. But before the start of encryption, it checks whether\r\nit is running inside VM or not by enumerating process and services.\r\nFig 12:Enumerate Process and Service for Checking Virtual Machines\r\nIt will then proceed for importing the RSA 2048-bit Public key hardcoded in the file and deleting the shadow copy\r\nby invoking “WMIC” and “vssadmin” as shown in below fig.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 6 of 9\n\nFig 13:Importing RSA Public Key and Deleting Shadow Copy\r\nIt has also tried to move laterally to other hosts in the network by checking the IP address assigned to the\r\nsystem.Once the IPv4 Address belongs to the range of 172.16. or 192.168. (Private IPv4 addresses typically\r\nassigned in LAN environment), it will then send the “IcmpEchoRequest” packet using the “IcmpSendEcho” API\r\nto target IPv4 address, instead of using the native ping command.\r\nIf it has access to that host/system which is available online in LAN, it will encrypt those systems as well. For the\r\nencryption process, it has used a combination of RSA-2048 bit and AES-256-bit, it will generate different AES\r\nkeys for each file using the “CryptGenKey” API.\r\nFig 14:Generating AES 256 bit Using CryptGenKey\r\nAfter file encryption it will write marker “HERMES” in the file, to identify if the file has encrypted or not. Ryuk\r\nis the successor to Hermes Ransomware as they have a similarity in most of its implementation. It will append the\r\nencrypted AES key in Microsoft SIMPLEBLOB format to the footer of the file.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 7 of 9\n\nFig 15:Encrypted File Structure\r\nConclusion:\r\nBy using WoL and Ping scanning APIs to wake up the system and move laterally in-network, Ryuk has tried to\r\nencrypt the maximum number of systems. These features signify the focus of this ransomware to increase its\r\nmonetization by infecting as many systems as possible.\r\nRyuk was initially associated with the APT Group and remained undetected for months  and one day it evolves  to\r\nencrypt all network devices, and now with WoL, it wakes up the system in LAN to increase its success of\r\nencrypting a larger number of systems.\r\nHow Quick Heal protects its users from such attacks:\r\nQuick Heal products are built with the following multi-layered security that helps counter such attacks.\r\n    1. Anti-Ransomware\r\nSpecially designed to counter ransomware attacks, this feature detects ransomware by tracking its execution\r\nsequence.\r\n    2. Firewall\r\nBlocks malicious attempts to breach network connections.\r\n    3. IDS/IPS\r\nDetects RDP brute force attempts and blocks the remote attacker IP for a defined period.\r\n    4.Virus Protection\r\nOnline virus protection service detects the known variants of the ransomware.\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 8 of 9\n\n5. Behaviour-based Detection System\r\nTracks the activity of executable files and blocks malicious files.\r\n    6. Back-Up and Restore\r\nHelps you take regular backups of your data and restore it whenever needed.\r\nIoC:\r\n987336D00FDBEC3BCDB95B078F7DE46F\r\nDetection name:\r\nTrojan.HermezRI.S10666632\r\nSource: https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nhttps://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/"
	],
	"report_names": [
		"deep-dive-wakeup-lan-wol-implementation-ryuk"
	],
	"threat_actors": [],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f44018a1f6ac74e9cdc46ad0bbc1f17a87aee1b8.pdf",
		"text": "https://archive.orkl.eu/f44018a1f6ac74e9cdc46ad0bbc1f17a87aee1b8.txt",
		"img": "https://archive.orkl.eu/f44018a1f6ac74e9cdc46ad0bbc1f17a87aee1b8.jpg"
	}
}