Edition BleepingComputer reports that known extortionist Ryuk now uses the Wake-on-LAN function to include the device in the compromised network and ensure more successful encryption.
According to a recent Ryuk analysis by SentinelLabs head Vitali Kremez, when malware runs, it spawns subprocesses with argument 8 LAN.
Thus, Ryuk scans the device’s ARP table, which is a list of known IP addresses on the network and their associated MAC addresses, and checks whether these entries are part of the subnets “10.”, “172.16.” And “192.168”.
If the ARP entry is part of any of these subnets, Ryuk will send a Wake-on-LAN packet to the device’s MAC address to turn on and wake up, and then encrypt it. In this way, cryptographic operators achieve the distribution of their malware to as many devices as possible, which can be especially true in corporate environments.
Kremez notes that to protect against this innovation, administrators should only allow Wake-on-LAN packets from administrative devices and workstations. Although even this will not help if the workstation of the administrator himself is compromised.