You probably think that when a computer is turned off nothing terrible could happen to it, with this new ransomware variant you should reconsider it.
A new variant of the known Ryuk ransomware has been seen in the wild, and it is being used by a North Korean group. These groups are known as APT (Advanced Persistent Threat) - mainly trying to steal data, disrupt operations, or destroy infrastructure.
Contrasting to most cybercriminals, APT attackers pursue their objectives over months or years. They adapt to cyber defenses and frequently retarget the same victim.
This new particularity in Ryuk, is that it uses the Wake-on-Lan feature to turn on power off devices on a compromised network to have greater success encrypting them.
A Wake-on-LAN (WoL) is a networking standard that allows a computer to be turned on or awakened by a network message. The message is usually sent to the target computer by a program executed on a device connected to the same local area network (LAN). This technology can also be used in Wide Area Networks (WAN), and even Wi-Fi, a standard called Wake on Wireless LAN (WoWLAN).
How it works
According to a recent analysis of the new Ryuk ransomware variant performed by Vitali Kremez, when the malware is executed, it will spawn subprocesses with the argument '8 LAN'.
When this argument is used, Ryuk will scan the device's ARP (Address Resolution Protocol) table, which is a list of known IP addresses on the network and their associated MAC addresses and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."
If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up, if successfully woken up, it will attempt to mount the remote device's C$ administrative share. Administrative shares are hidden network shares created by Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system.
If they can mount the share, Ryuk will encrypt that remote computer's drive as well.
Ryuk is a ransomware family derived from Hermes that runs on Microsoft Windows Operating Systems
This evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the APT group's skills implementing new tactics and techniques to infect devices.
Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. However, some alternatives can be beneficial in recovering your data. Remember that paying is not a good idea, you would be supporting cybercriminals or groups in this case, and you got zero warranties that you are getting your files back or that your information wasn't stolen instead of hijacked.
To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices, however, bear in mind that if an administrative device gets compromised, this won't be a mitigation for the mentioned vulnerability.
As we have stated in other reports related to ransomware, if you encounter yourself in this situation, we recommend not paying any ransom. You can go to nomoreransom.org and get help from them. They list tools that can help you to recover your data.
Having a good cybersecurity culture both at work and at home ensures you that the risk of getting infected with ransomware is rationally minimized. Most ransomware is delivered as an attachment in an email, including an infected file such as Word, Excel, PowerPoint, PDF. Some others are delivered via Malvertising (Malicious Advertisement) or even on a compromised website.
Do yourself a favor and install behavioral analytics. Try ours for free!