This morning, January 14th 2019, “Qurlla” of New World Hackers essentially launched/invented a new form of ransomware attack that the world has never seen before. Unlike traditional ransomware attacks which first require a user to click on a hyperlink and/or download a file, this ransomware is being spread via open ports on devices located on the Internet of Things (IoT).
Traditionally, the IoT has been used to build botnets for Bitcoin mining or DDoS attacks, essentially using malware to crawl different network systems on the IoT to infect any vulnerable devices on it. However, Qurlla appears to have coded a new piece of malware that scans vulnerable devices on the Internet of Things, injecting open ports built into their software directly with the ransomware itself – requiring no action from the device or its user whatsoever. Essentially, these devices are being infected simply by just existing dormantly on the IoT – something which, at least to my knowledge, no one has ever pulled off before.
Also how did you get the ransomware on a printer?
— ThugCrowd (@thugcrowd) January 14, 2019
I coded a custom exploit(trojan) with a loader and sent a variety of payloads to devices with open ports. I just used the Shodan API to mass download the repositories and exploit them with my trojan. I will release the source code for the exploit next month.
— Qurlla (@Qurlla) January 14, 2019
To date, Qurlla claims to have compromised approximately 214,003 devices through a web service known as Shodan, the self described “Search Engine for The Internet of Things,” infecting at least 150,000 with his ransomware – including TV’s, laptops, PC’s and Raspberry Pi servers. He has also targeted Amazon Echo devices, printers and cell phones as well. In statements to Rogue Media Labs, Qurlla explained that this only the beginning, and he is still actively developing his source code – which will remain private until at least next month. For the time being, Qurlla is going to keep building upon his code – perhaps introducing a DDoS variant into the mix, allowing for infected devices to coordinate with one another to carry out DDoS attacks in the future.
While it is still very early and the attack was just launched a few hours ago, Qurlla says that he has already made over $300 from infected victims – asking $150 a piece to decrypt his ransomware. Qurlla calls his new ransomware “TrojanXENE,” a custom coded trojan which uses Ruby code to send TCP payloads and header redirects from a Google API – effecting devices found on on Shodan, using their API to send the payloads to get a response. To exploit the printers, Qurlla used CastHack source code from “HackerGiraffe,” modifying the payloads to deliver his variant.
Qurlla details that he uses a “simple SHA-1” to encrypt the devices, “but every payload is tweaked to pull off the attack” – depending on the type of device compromised. He explains how he “did code like a gui in C# earlier, but it wasn’t as efficient as just executing python commands in terminal to make this possible. There is really a mix of programming languages.” Upon turning on or accessing their device, users are greeted with a message stating that “You got Hacked” – which then redirects them to a BTC payment gateway. Reportedly, users are not allowed to do anything on their devices until a payment of $150 is made. Below is a screen shot of the messages left behind on infected devices.
Screen Shot from Infected IoT Device:
I have infected 214,003 devices through #Shodan. I then uploaded a ransomware to over 150,000+ TV's, laptops, PC's, and #RaspberryPi servers.
Over 2.62 Terrabits of traffic is being rendered throughout this cyber attack.
Other Devices Infected:
Mobile Devices pic.twitter.com/NWI1BDqe7n
— Qurlla (@Qurlla) January 14, 2019
Categories: Hacking News