Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs

Wake-on-LAN and ARP pinging have expanded Ryuk’s reach into corporate LANs — and its operators’ monetization abilities.

The Ryuk ransomware has added two features to enhance its effectiveness: The ability to target systems that are in “standby” or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.

Ryuk, which is distributed by the Russian-speaking Wizard Spider financial crime syndicate, is innovating in particular by using the Wake-on-LAN (WoL) utility to reach snoozing systems that it otherwise would have no ability to encrypt.

WoL is a networking standard that allows a computer to be turned on remotely, whether it’s hibernating, sleeping or even completely powered off. It works regardless of the operating system of the computer, so Windows, Mac, Linux and others are susceptible to Ryuk’s new trick. That said, the target computer will need to be configured to support WoL with a compatible BIOS and network interface card.

“Wizard Spider is seeking to maximize the number of systems that can be impacted by Ryuk’s file encryption,” said CrowdStrike Intelligence analysts, in a posting on Friday. “The Wake-on-LAN feature is a novel technique that demonstrates Wizard Spider’s continued focus on increasing the monetization of infections via ransomware.”

WoL works by sending what’s called a “magic packet” from a WoL client elsewhere on the LAN, which can be any sort of endpoint, including a smartphone.

“To identify machines on the LAN, Ryuk reads entries in the host Address Resolution Protocol (ARP) cache; in addition, for each address in the cache, it sends a WoL magic packet,” explained the researchers. “The packet is sent over a User Datagram Protocol (UDP) socket with the socket option SO_BROADCAST using destination port 7. The WoL magic packet starts with FF FF FF FF FF FF, followed by the target’s computer MAC address.”

The WoL addition to the Ryuk arsenal does give security staff another way to detect the malware: “UDP packets observed being sent specifically to destination port 7 during a ransomware incident may be an indication that Ryuk is present,” according to CrowdStrike.

Also, there are limitations on how useful this method is, CrowdStrike analysts said: The default ARP cache timeout is short-lived on modern versions of Windows, making Ryuk’s WoL implementation “somewhat naïve.” And, only systems that have recently been put to sleep would still have their MAC address present in a remote system’s ARP cache.

This isn’t to say that the malware’s WoL approach won’t evolve over time, however.

The second fresh Ryuk feature is the use of ARP ping scanning, which also expands Wizard Spider’s ability to reach deeper into the corporate LAN of a compromised target. ARP pinging is a method for discovering and probing hosts on a computer network by sending Link Layer frames using the aforementioned ARP request method.

CrowdStrike researchers said that Ryuk checks each entry in the ARP cache to see whether it contains an IP address with the substrings “10.,” “172.16.,” or “192.168.” in it. These are IP address blocks that are reserved for private IP addresses — i.e., addresses assigned to IP devices that are communicating to other devices on the LAN, but which aren’t exposed to the internet. Private IP addresses are untracked, and tools like WhatIsMyIPaddess.com cannot geographically locate a user’s computer by their private IP address. Wizard Spider is using ARP pinging to gain visibility into these heretofore “hidden” devices.

“If an IP address contains one of these strings, it starts sending ARP and ping requests to all IP addresses in the Class C network starting with that string value,” according to the analysis. “If a host responds, Ryuk attempts to mount it as a network drive using Server Message Block (SMB), and encrypt its contents.”

Ryuk, which is mainly seen in corporate-focused attacks, sets the ransom according to the victim’s perceived ability to pay. First seen in August 2018, Ryuk detections are on the rise and increased by 88 percent between the second and third quarter of 2019, according to stats from Vectra.

“Ransomware is a fast-and-easy attack with a bigger payout than stealing and selling credit cards or personally identifiable information (PII), both of which have perishable values as time passes after their theft,” said Chris Morales, head of security analytics at Vectra, via email. “Factor in cryptocurrency as the ransom payment – an anonymous, hard-to-trace currency – and it’s easy to see why cybercriminals like ransomware’s clean, no-fuss business model. Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”

Also, according to Malwarebyte’s Black Hat 2019 edition of its quarterly threat report, ransomware operators are shifting their targets from the consumer sector: Overall ransomware detections against businesses in the second quarter rose by a whopping 363 percent year-over-year, the report noted. Vectra found that as of August, Ryuk had targeted more than 100 U.S. and international businesses in 2019.

Municipalities, educational institutions and healthcare organizations have become prime Ryuk targets, likely because of a surplus of legacy infrastructure, outdated hardware and software applications, and a lack of security funding in these sectors. For instance, Massachusetts city New Bedford earlier this year faced a Ryuk payout demand of more than $5 million – one of the largest known ransoms ever (it didn’t pay). Ryuk was also behind a coordinated ransomware attack in August that hit 23 Texas state government agencies.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles