.st0{fill:#FFFFFF;}

Cyber Security

RYUK

 August 3, 2020

By  Anton Kiorolgo

Suddenly, your company’s room full of networked computers come on all at once – then, like dominoes, begin displaying the same ransom message, one by one. In a rush, you run to disconnect the remaining PCs from the network, but it is too late.

Ryuk Arrives

While this describes ransomware software in general, today we’re looking at Ryuk. While it sounds like a nightmare monster from the works of H.P Lovecraft, this beast is not fictitious.

How Ryuk Works

Wake-on-LAN (WoL) messages are used to turn on or wake computers in a network via a network message. This message is sent by a member of the same network and can even be transmitted via Wi-Fi. (WoWLAN) Ryuk uses these messages to attack, infecting one PC and then using WoL messages, hops around from PC to PC on the network.

Next, the Ryuk program will mount the C$ share, rending that computer’s remote drive useless, to complete the takeover. With the remote drive claimed, the hacker is then able to begin traversing the network however they wish.

A single hacker can easily take an entire company’s network, utilizing only one PC. The ransomed computers act as lily pads, the attacker jumping between them with WOL & ARP commands.

Where Did Ryuk Come From?

It is believed that Ryuk originates from the North Korean Unit 180 Spy Agency, but operates under the name of the Lazarus Group. The entire intent of this group is to raise funds for the North Korean government.

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #smallbusiness #smallbusinesssecurity #MSPs #MSPSecurity #workingfromhome #internetsecurity #ITSecurity

How to Prevent A Visit from Ryuk

Luckily, the advice to keep this horrifying situation from occurring is simple – only allow Wake-on-Lan packets to be sent from administratively-assigned computers. Without this ability, Ryuk’s destructive powers are severely limited.

This solution allows techs to still be able to wake sleeping devices but keeps the possibility for such an attack at bay, as hackers cannot dispatch waking commands from anywhere in the network – only the main administrative workstations.

What are the downsides? Well, there is one main downside to this tactic – if administrative PCs are taken by the attackers, all lines of defense are compromised.

What Makes Ryuk Particularly Scary

Ryuk proves that malware, ransomware, and typical viruses can (and do) evolve. Simply take a look at a Ryuk campaign chart – it eerily resembles a strand of DNA. Ryuk was originally observed being spread via spam emails, unlike how it has been described as traveling here – the crawling virus has been adapted and changed.

Having trouble finding trustworthy IT support?

Please contact us to schedule a consultation.

Subscribe to our newsletter now!