silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.
Ryuk, which is distributed by the Russian-speaking Wizard Spider financial crime syndicate, is innovating in particular by using the Wake-on-LAN (WoL) utility to reach snoozing systems that it otherwise would have no ability to encrypt.
WoL is a networking standard that allows a computer to be turned on remotely, whether it’s hibernating, sleeping or even completely powered off. It works regardless of the operating system of the computer, so Windows, Mac, Linux and others are susceptible to Ryuk’s new trick. That said, the target computer will need to be configured to support WoL with a compatible BIOS and network interface card.
“Wizard Spider is seeking to maximize the number of systems that can be impacted by Ryuk’s file encryption,” said CrowdStrike Intelligence analysts, in a posting on Friday. “The Wake-on-LAN feature is a novel technique that demonstrates Wizard Spider’s continued focus on increasing the monetization of infections via ransomware.”