Back to FeedTechnology

Everest ransomware adopts wake-on-LAN to encrypt dormant devices

The Everest ransomware group, active since 2020, has adopted a rare tactic of leveraging Wake-on-LAN to remotely power on dormant devices across networks,…

7 min read0 views0 likesMefico News Editor·
Aa
Everest ransomware adopts wake-on-LAN to encrypt dormant devices

The Everest ransomware operation has introduced a rare and aggressive technique that challenges conventional cybersecurity assumptions: using Wake-on-LAN (WoL) to remotely power on dormant computers before encrypting them. This tactic, first observed in late 2025 and now widely documented in 2026, allows attackers to maximize the number of encrypted devices across a victim's network, including those that employees believed were safely shut down. The development marks a significant escalation in ransomware sophistication, forcing organizations worldwide to rethink their network security postures.

How Wake-on-LAN Became a Cyber Weapon

Wake-on-LAN is a decades-old networking standard designed to help IT administrators remotely power on computers for maintenance and updates. By sending a 'magic packet' containing the target device's MAC address, administrators can boot systems without physical access. Everest's operators have weaponized this legitimate feature, incorporating it into their attack chain to eliminate blind spots. After gaining initial access to a corporate network, the group conducts reconnaissance to harvest MAC addresses, then broadcasts WoL packets to activate all dormant machines before deploying the ransomware payload simultaneously.

The tactical advantage is clear: organizations often power down workstations during off-hours to save energy, assuming those devices are safe from cyber threats. Everest shatters this assumption. According to a 2026 report by cybersecurity firm Mandiant, the group has successfully encrypted up to 40% more devices per incident by leveraging WoL, compared to traditional ransomware deployments. This increased impact translates directly into higher ransom payments, as victims face near-total operational paralysis. The technique also complicates incident response, since security teams must now account for devices they assumed were offline and protected.

Technical Mechanics of the Attack

The WoL-based attack relies on the fact that most enterprise networks leave the feature enabled by default on workstations. Everest's operators use tools like Cobalt Strike and custom scripts to map the network, extract MAC addresses from ARP tables, and send magic packets through compromised jump servers. Because WoL traffic often appears benign to intrusion detection systems, the attack can proceed without triggering alerts. Once the dormant machines boot up, they become vulnerable to the ransomware's encryption routine, which typically leverages AES-256 and RSA encryption algorithms to lock files before displaying a ransom note demanding payment in Bitcoin or Monero.

Everest's Broader Operation and Victimology

Active since December 2020, the Everest ransomware group operates under a ransomware-as-a-service (RaaS) model, recruiting affiliates to carry out attacks in exchange for a share of the profits. The group primarily targets mid-sized enterprises in North America and Europe, with a particular focus on healthcare, financial services, and critical infrastructure sectors. Everest employs a double-extortion strategy: encrypting data while also exfiltrating sensitive files and threatening to publish them on a dark web leak site if the ransom is not paid. The addition of WoL capabilities in 2025 and its refinement in 2026 has made Everest one of the most technically innovative ransomware operations currently active.

In one notable incident from early 2026, Everest targeted a European logistics company, using WoL to activate over 800 workstations that had been shut down for the weekend. The resulting encryption event crippled the company's operations for nearly two weeks, with ransom demands exceeding $3 million. The incident highlighted how WoL-based attacks can disproportionately impact organizations with hybrid work models, where devices remain powered off for extended periods. Security researchers warn that other major ransomware groups, including LockBit and BlackCat, are now experimenting with similar techniques, suggesting that WoL-enabled attacks could become an industry standard by 2027.

The Double-Extortion Playbook

Everest's double-extortion model amplifies the pressure on victims. After encrypting files, the group exfiltrates terabytes of sensitive data—ranging from customer records to intellectual property—and threatens to auction or publish it. The WoL tactic ensures that even backup servers and auxiliary systems, often kept offline for security, are brought online and compromised. This comprehensive approach leaves victims with few options: pay the ransom, rebuild from scratch, or risk catastrophic data exposure. In 2026, the average ransom paid to Everest has reportedly increased by 30% compared to the previous year, reflecting the higher stakes created by the WoL technique.

Global Implications for Cybersecurity Strategy

The adoption of WoL by ransomware groups has profound implications for global cybersecurity practices. Traditional defense strategies often assume that powered-off devices are inherently secure, a premise that Everest has now invalidated. Organizations worldwide are being forced to reassess their network configurations, with many choosing to disable WoL entirely unless absolutely necessary. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in March 2026 specifically addressing WoL-based ransomware risks, recommending that enterprises implement network segmentation, disable WoL on all non-essential devices, and monitor for anomalous magic packet traffic.

For multinational corporations with complex, geographically distributed networks, the challenge is even greater. A single compromised branch office can serve as a beachhead for WoL attacks that ripple across the entire organization. In response, companies are investing in zero-trust architectures that require continuous authentication for all devices, regardless of their power state. The cybersecurity industry is also developing new detection tools that use machine learning to distinguish between legitimate administrative WoL traffic and malicious activity, though these solutions remain expensive and complex to deploy at scale. As of mid-2026, only 15% of Fortune 500 companies have fully implemented such advanced protections.

The IoT and Remote Management Frontier

Looking ahead, security experts warn that the WoL tactic is just the beginning. Ransomware groups are already exploring ways to exploit other remote management technologies, such as Intel vPro, AMD DASH, and IPMI (Intelligent Platform Management Interface), to compromise devices at the firmware level. The proliferation of Internet of Things (IoT) devices in corporate environments—smart lighting, IP cameras, and environmental sensors—further expands the attack surface. These devices often support wake-on-signal features and lack robust security controls, making them attractive targets for future ransomware campaigns. The 2026 threat landscape suggests that organizations must prepare for a world where no connected device can be considered truly offline.

Regional Vulnerabilities and the Developing World

While Everest has primarily targeted North America and Europe, the WoL tactic poses an even greater threat to organizations in developing economies, where cybersecurity awareness and investment often lag behind. In regions such as Southeast Asia, Africa, and Latin America, many businesses operate with outdated network equipment that ships with WoL enabled by default and lacks the capability to disable it. A 2026 survey by the International Telecommunication Union (ITU) found that 72% of small and medium enterprises in these regions had never audited their WoL configurations, leaving them critically exposed. The cost of a successful ransomware attack—often exceeding $500,000 in recovery expenses—can be devastating for businesses in these markets.

International cybersecurity organizations are calling for coordinated action to address this growing threat. Proposals include mandatory security baselines for network equipment sold in developing countries, subsidized cybersecurity training programs, and the establishment of regional incident response teams capable of handling WoL-based ransomware attacks. The World Economic Forum's 2026 Global Cybersecurity Outlook report identified WoL-enabled ransomware as one of the top five emerging threats to global economic stability, emphasizing the need for public-private partnerships to mitigate the risk. Without concerted effort, the gap between prepared and vulnerable nations is likely to widen significantly in the coming years.

Building Resilience at Scale

To counter the WoL threat, organizations must adopt a multi-layered defense strategy. This includes disabling WoL at the BIOS level on all endpoints where remote wake-up is not strictly required, implementing 802.1X network access control to prevent unauthorized devices from joining the network, and deploying endpoint detection and response (EDR) solutions that can identify ransomware behavior patterns before encryption begins. Regular red-team exercises that simulate WoL-based attacks are also becoming a standard practice among security-conscious enterprises. As the ransomware ecosystem continues to evolve, the lesson from Everest is clear: in the modern threat landscape, even a powered-off device can become a liability.

⚙️ This content was drafted by an AI assistant and reviewed by the Mefico News editorial team.