Ryuk ransomware can now encrypt turned off devices. It uses a special hardware feature called Wake-on-Lan to power-up turned off devices so that it can encrypt them.
What is Wake-on-Lan?
It appears that now not even turned off devices are safe from ransomware attacks. Security researchers from SentinelLabs have detected Ryuk ransomware using the Wake-on-Lan feature to turn on turned off devices. This in turn allows attackers to have greater success in encrypting a compromised network.
Wake-on-Lan (WoL) is a hardware feature used by IT system administrators to remotely turn on devices on a company’s network. This allows them to turn on machines without having to physically go and turn them on.
Administrators normally use WoL to push out updates to all devices on a network or to run scheduled tasks. If a device is turned off the update would not occur on that device. Consequently, WoL is used to ensure all devices are turned on so that all machines are updated.
How Ryuk Ransomware uses WoL to Encrypt Turned Off Devices
Once attackers have access to a compromised network, Ryuk is deployed to spawn subprocesses with the argument “8-LAN”. Ryuk then uses this argument to scan a device’s ARP table. This table provides a list of known IP addresses for devices on the network and their matching MAC addresses. It does this to check if any IP address entries exist that are part of certain private IP Address subnets.
When Ryuk finds a device listed that is within the required private subnets, Ryuk uses a WoL request to turn on the device. If the request is successful, Ryuk then attempts to mount the device’s C$ administrative share. Administrative shares are hidden network shares created by Windows operating systems. They allow system administrators to have remote access to all the disks in a device.
If Ryuk manages to mount the administrative share, it then has access to encrypt that network device.
Ransomware Attacks Becoming More Targeted
Ryuk ransomware attacks, like other ransomware strains, have recently become more focused than when they first appeared. Unlike the spray-and-pray campaigns of the past, attackers are now pursuing more profitable targets. Recent ransomware targets have included large organizations, universities and government entities.
According to StateScoop’s Ransomware Attacks Map, Ryuk ransomware attacks have been carried out in at least 23 US states since its first appearance in late 2018. StateScoop reports that: “In 2019, Ryuk attacks collected $400,000 from rural Jackson County, Georgia; nearly $600,000 from Riviera Beach, Florida; $490,000 from Lake City, Florida; $130,000 from LaPorte County, Indiana; and $100,000 from the public school district in Rockville Centre, New York.”