Ryuk ransomware “wakes up” turned off devices using Wake-on-Lan feature

Ryuk ransomware “wakes up” turned off devices using Wake-on-Lan feature

Security researchers observed the Ryuk ransomware leveraging a special function called Wake-on-Lan to turn on the powered off devices on a compromised network in order to encrypt them.

Wake-on-Lan (WoL) is a feature for waking computers up from a very low power mode remotely by sending a network message.

According to SentinelLabs’ researcher Vitali Kremez who analyzed some of the recent samples of the Ryuk ransomware, when executing the malware spawns subprocesses with the argument '8 LAN'. This argument is used to scan the device’s ARP table to check if the listed entries of network devices were part of the “10.,” “172.16.” and/or “192.168” private IP address subnets.

If it finds an entry in the ARP table that is a part of any of the mentioned above networks, the malware will send a Wake-on-Lan (WoL) packet to the device's MAC address to awake the device. The WoL request is sent in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'. Once the WoL request is successful, Ryuk mounts the device’s C$ administrative share and encrypts the computer’s drive.

“This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP. It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments,” explained Kremez speaking to BleepingComputer.

To mitigate the risk of such attacks administrators are recommended to enable Wake-on-LAN packets only from administrative devices and workstations. This would allow administrators to continue using this feature, while adding some protection to the endpoints.


Back to the list

Latest Posts

UK sanctions Russian hackers for malicious hybrid operations

UK sanctions Russian hackers for malicious hybrid operations

Additionally, UK’s NCSC has publicly attributed the deployment of a sophisticated new malware dubbed ‘AUTHENTIC ANTICS’ to the APT28 threat actor long thought to be a unit of the GRU (Military Unit 26165).
21 July 2025
APT28 targets Ukrainian defense sector using AI-powered Lamehug malware

APT28 targets Ukrainian defense sector using AI-powered Lamehug malware

Lamehug is integrated with Qwen 2.5-Coder-32B-Instruct, a powerful LLM accessed via the HuggingFace API.
21 July 2025
Microsoft SharePoint flaw actively exploited in large-scale cyberattacks

Microsoft SharePoint flaw actively exploited in large-scale cyberattacks

The zero-day flaw, tracked as CVE-2025-53770, allows unauthorized attackers to remotely execute code on vulnerable systems.
21 July 2025