Ah the sweet smell of success. Five months ago I was a printer/copier salesman. Today I have $1.9 million dollars of untraceable Bitcoin and am trying to figure out what part of the world I want to live in while I expand my trade. I want someplace sunny and warm (too many cold days in Massachusetts have forever left me with a “tan deficit”) with a stable economy, stable political structure and, of course, local law enforcement that can be bought and no extradition laws.
So how did I do it? By becoming the biggest ransomware perpetrator on the net, but with a unique twist: I can get back into the network and re-encrypt the victims computers anytime I want to. You see, I found a way into almost any network that no one will ever suspect…the printers. That’s right, I said “printer”. It just so happens that while I was selling printers I noticed a trend of sorts. More and more companies are making it possible to perform internet printing so employees working from home can print reports or faxes right to their printer at work. Almost all printers allow access to the device to some degree without needing admin credentials. For instance, you can go in and change the language, check ink levels and change paper sizes etc. all without needing to know the all-powerful admin password. So how did I leverage this to my advantage?
First, let’s talk about ransomware. Most of you have heard of it by now, but let’s clear up exactly what it is and what it does. Ransomware is an application that once downloaded to the target computer encrypts the hard drive and any device attached to it (thought you were safe with the external backup drive didn’t you?) and at boot-up presents the user with very specific instructions on how to decrypt their computer. These instructions usually include how to pay the “ransom” so the person who targeted you will give you the decryption keys. Without the decryption keys you are just not getting your data back. This is not like a virus that you can just remove with a program. This is military grade encryption that the NSA loathes because they cannot break it without an incredible amount of computing power thrown at it. So the target is usually infected by downloading an email attachment or visiting a malicious website where their machine gets infected with a dropper virus that then downloads the ransomware. The problem is that the person sending the ransomware to the target may have to email a million people to get just one to download the program and there is no guarantee that one person will pay, so the economy of scale is not all that great (especially with more people learning NOT to download attachments!).
That’s where my idea came in. I found out that in most printers you can manipulate certain files to allow for an upload directly into the printer buffer itself (duh…the device is meant to upload your print jobs!) and then copy that information into the language package of the printer with an executable file. Log back onto the printer and request the language file that you just changed and “Voila” my executable runs! Now I just insert a couple of small programs like a network scanner and a password sniffer and I am in business. I am now on the inside of the network with a device that is rarely ever monitored for malicious activity, can scan the network for the computers I want to hack and can even grab passwords. If I get really creative I can change a couple of the files for the printer drivers and force people to a new update site for their printer and make them download my ransomware automatically! The best part? No one ever suspected it was the printer that started it all and no one will even think to take it off the network.
Hmm, I wonder if I can do the same thing with the wireless access point they use?