USB sticks with ransomware – FIN7 hacker group uses hardware!

M.Sc. Chris Wojzechowski

USB sticks with ransomware – FIN7 hacker group uses hardware!

Having USB sticks with ransomware in the real mailbox is an unusual, even if not unrealistic, scenario. In the past, many companies have prepared for this eventuality with various measures. A current case shows that even this threat scenario cannot yet be put ad-acta.

The defense industry in the United States is huge. Some packages, disguised as a gift box or Covid-19 guideline, were delivered. Included were USB sticks with malware. The way of the technology is not particularly innovative.

USB sticks with ransomware log on to the system as a keyboard

Basically, behind the attack is a BadUSB stick with great aspects of a sophisticated social engineering campaign. Thus, the packages are sent in the name of the U.S. Department of Health and Human Services(HHS) rather than anonymously. Also, the USB stick is not the only content. The damaged hardware is accompanied by other letters and information. The recipients were not left alone with the packages. Numerous calls were made to force the insertion of the USB stick. The attack is by no means new.

Once a recipient decides to connect one of the USB sticks with ransomware, they log into the system as a USB keyboard. This opens the door for entries that are otherwise to be prevented by numerous measures. Even blocking or prohibiting USB storage devices does not help at this point.

Allowed devices should be determined. The corresponding hardware IDs can then be allowed according to the whitelisting principle. Attacks are only technically possible if the attacker has knowledge about the hardware used. Careful consideration of an in-house team also makes sense if the company is large enough.

Attack with USB sticks is not new – but the context has been adapted

For those who observe attacks in the scene, the use of USB sticks with ransomware does not seem new. FIN7 group is very creative and just known for using phishing attacks to distribute and activate with malware.

Thus, the group is already attributed a wave of attacks of a similar variety. At the time, however, it was in the name of BestBuy, a US electronics retailer in the States. The target group has also changed. At that time it was more hotels and restaurants.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.