Written by Anthony Carballo
on January 24, 2020

You probably think that when a computer is turned off nothing terrible could happen to it, with this new ransomware variant you should reconsider it.

A new variant of the known Ryuk ransomware has been seen in the wild, and it is being used by a North Korean group. These groups are known as APT (Advanced Persistent Threat) - mainly trying to steal data, disrupt operations, or destroy infrastructure.



Contrasting to most cybercriminals, APT attackers pursue their objectives over months or years. They adapt to cyber defenses and frequently retarget the same victim.

This new particularity in Ryuk, is that it uses the Wake-on-Lan feature to turn on power off devices on a compromised network to have greater success encrypting them.

A Wake-on-LAN (WoL) is a networking standard that allows a computer to be turned on or awakened by a network message. The message is usually sent to the target computer by a program executed on a device connected to the same local area network (LAN). This technology can also be used in Wide Area Networks (WAN), and even Wi-Fi, a standard called Wake on Wireless LAN (WoWLAN).




How it works

According to a recent analysis of the new Ryuk ransomware variant performed by Vitali Kremez, when the malware is executed, it will spawn subprocesses with the argument '8 LAN'.

When this argument is used, Ryuk will scan the device's ARP (Address Resolution Protocol) table, which is a list of known IP addresses on the network and their associated MAC addresses and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."

If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up, if successfully woken up, it will attempt to mount the remote device's C$ administrative share. Administrative shares are hidden network shares created by Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system.

If they can mount the share, Ryuk will encrypt that remote computer's drive as well.



Ryuk is a ransomware family derived from Hermes that runs on Microsoft Windows Operating Systems

This evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the APT group's skills implementing new tactics and techniques to infect devices.

Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. However, some alternatives can be beneficial in recovering your data. Remember that paying is not a good idea, you would be supporting cybercriminals or groups in this case, and you got zero warranties that you are getting your files back or that your information wasn't stolen instead of hijacked.





To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices, however, bear in mind that if an administrative device gets compromised, this won't be a mitigation for the mentioned vulnerability.

As we have stated in other reports related to ransomware, if you encounter yourself in this situation, we recommend not paying any ransom. You can go to and get help from them. They list tools that can help you to recover your data.

Having a good cybersecurity culture both at work and at home ensures you that the risk of getting infected with ransomware is rationally minimized. Most ransomware is delivered as an attachment in an email, including an infected file such as Word, Excel, PowerPoint, PDF. Some others are delivered via Malvertising (Malicious Advertisement) or even on a compromised website.

Do yourself a favor and install behavioral analytics. Try ours for free!

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Threat report

Criminales usando Google Analytics para robar tarjetas de crédito

Investigadores informaron el lunes que cibercriminales están explotando el servicio de Google Analytics para robar infor...

Threat report

Ransomware usando mapa COVID-19

Hemos detectado un sitio web malicioso que se encuentra activo, el cual  está distribuyendo archivos sospechosos. Los mi...

Threat report

Intel processors – Another flaw but no patch available this time.

Researchers have discovered a new vulnerability that affects Intel processors, and that, for now, has no solution.