Ryuk ransomware uses Wake-on-LAN to “awake” devices before attack

Ryuk ransomware uses Wake-on-LAN
Written by Emma Davis

Famous Ryuk ransomware now uses the Wake-on-LAN feature to turn on devices in a compromised network and ensure better encryption.

Wake-on-Lan is a hardware feature that allows turning off or on a device by sending it a special network packet. This is useful for administrators who may need to send updates to a computer or complete scheduled tasks when devices turned off.

According to a recent Ryuk analysis by SentinelLabs head Vitali Kremez, when a malware runing, it spawns subprocesses with argument 8 LAN.

This evolution in Ryuk’s tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator’s skill traversing a corporate network”, — said Vitali Kremez.

Thus, Ryuk scans the device’s ARP table, which looks as a list of known IP addresses on the network and their associated MAC addresses, and checks whether these entries are part of the subnets “10.”, “172.16.” And “192.168”.

If the ARP entry is part of any of these subnets, Ryuk will send a Wake-on-LAN packet to the device’s MAC address to turn on and wake up, and then encrypt it.

This WoL request comes in the form of a “magic packet” containing “FF FF FF FF FF FF FF FF”.

In this way, cryptographic operators achieve distribution of their malware to as many devices as possible, which can be especially detrimental in corporate environments.

This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL&ARP. It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments”, — explained Vitali Kremez to BleepingComputer journalists.


To protect against this innovation, administrators should enable Wake-on-LAN packets only from administrative devices and workstations. This would allow administrators to continue using this feature, while adding some security to the endpoints.

Although even this will not help if becomes compromised workstation of the administrator, though this is exactly what happens in case of targeted attacks by cybercriminals.

How to fix?

Do not panic. Ryuk is an interesting and quite common virus, but following the recommendations of the Ryuk removal guide, you can restore files and full functionality of your PC.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply