The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them.
Wake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special network packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled tasks when it is powered down.
According to a recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'.
When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."
If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'.
If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.
If they can mount the share, Ryuk will encrypt that remote computer's drive as well.
In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.
"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments."
To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and workstations.
This would allow administrators to still benefit from this feature while adding some security to the endpoints.
At the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted ransomware attacks.
Update 1/14/20 11:28 AM: CrowdStrike also has analysis of this feature here.
.jpg)
Comments
navidas73 - 3 weeks ago
Terrifying how much criminal energy goes into the development of RYUK ransomware.
Alovalovayea - 2 weeks ago
Hello, i've found SEVERAL WAYS to recover Ryuk encrypted files. I would be glad if anyone could give me some sample because it could be useful in finding a way to calculate the key instead of just recovering files. This ransomware is so advanced (in terms of his code and process) that they forgot about some SIMPLE WINDOWS'S ENVIROMENTS things that are helpful in recovering files.
buddy215 - 2 weeks ago
Other than using external backup copies of files encrypted on the computer....what other way have you found for "recovering" encrypted files other than decryting? Inquiring minds want to know.
Alovalovayea - 2 weeks ago
Just to tell you something, working on file history could let you recover everything on a company network. Every workstation can help you decrypt another workstation, but I can't give you details for now. Talking about any other method, would result on helping the hacker team behind ryuk and that's why I want to use my samples (and some more, If can get some) to calculate the key (it's not that difficult understanding how if you analyze the infection through a network sniffer on a sandbox)
Alovalovayea - 2 weeks ago
Sodinokibi (post August 2019 version) successfully decrypted thanks to a Facebook group who submitted samples. Ryuk's taking a bit more time but it's "vulnerable to the same method", could someone send samples?