Edition Bleepingcomputer reports that Ryuk, a well-known ransomware, now uses the Wake-on-LAN feature to turn on devices on a compromised network and provide more successful encryption.
In this way, Ryuk scans the device’s ARP table, which is a list of known IP addresses on the network and their associated MAC addresses, and checks whether these entries are part of the subnets “10.”, “172.16.” And “192.168”.
If the ARP entry is part of any of these subnets, Ryuk will send a Wake-on-LAN packet to the device’s MAC address to turn on and wake up, and then encrypt it. In this way, cryptographic operators achieve distribution of their malware to as many devices as possible, which can be especially true in corporate environments.
Kremez notes that to protect against this innovation, administrators should only allow Wake-on-LAN packets from administrative devices and workstations. Although even this will not help if the workstation of the administrator himself is compromised.