The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.
Ryuk, which is distributed by the Russian-speaking Wizard Spider financial crime syndicate, is innovating in particular by using the Wake-on-LAN (WoL) utility to reach snoozing systems that it otherwise would have no ability to encrypt.
WoL is a networking standard that allows a computer to be turned on remotely, whether it’s hibernating, sleeping or even completely powered off. It works regardless of the operating system of the computer, so Windows, Mac, Linux and others are susceptible to Ryuk’s new trick. That said, the target computer will need to be configured to support WoL with a compatible BIOS and network interface card.