Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.

Ryuk, which is distributed by the Russian-speaking Wizard Spider financial crime syndicate, is innovating in particular by using the Wake-on-LAN (WoL) utility to reach snoozing systems that it otherwise would have no ability to encrypt.

WoL is a networking standard that allows a computer to be turned on remotely, whether it’s hibernating, sleeping or even completely powered off. It works regardless of the operating system of the computer, so Windows, Mac, Linux and others are susceptible to Ryuk’s new trick. That said, the target computer will need to be configured to support WoL with a compatible BIOS and network interface card.

“Wizard Spider is seeking to maximize the number of systems that can be impacted by Ryuk’s file encryption,” said CrowdStrike Intelligence analysts, in a posting on Friday. “The Wake-on-LAN feature is a novel technique that demonstrates Wizard Spider’s continued focus on increasing the monetization of infections via ransomware.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top