Offensive Security

USB sticks with ransomware – FIN7 hacker group uses hardware!

USB sticks with ransomware – FIN7 hacker group uses hardware!

Having USB sticks with ransomware in the real mailbox is an unusual, even if not unrealistic, scenario. In the past, many companies have prepared for this eventuality with various measures. A current case shows that even this threat scenario cannot yet be put ad-acta.

The defense industry in the United States is huge. Some packages, disguised as a gift box or Covid-19 guideline, were delivered. Included were USB sticks with malware. The way of the technology is not particularly innovative.

USB sticks with ransomware log on to the system as a keyboard

Basically, behind the attack is a BadUSB stick with great aspects of a sophisticated social engineering campaign. Thus, the packages are sent in the name of the U.S. Department of Health and Human Services(HHS) rather than anonymously. Also, the USB stick is not the only content. The damaged hardware is accompanied by other letters and information. The recipients were not left alone with the packages. Numerous calls were made to force the insertion of the USB stick. The attack is by no means new.

Once a recipient decides to connect one of the USB sticks with ransomware, they log into the system as a USB keyboard. This opens the door for entries that are otherwise to be prevented by numerous measures. Even blocking or prohibiting USB storage devices does not help at this point.

Allowed devices should be determined. The corresponding hardware IDs can then be allowed according to the whitelisting principle. Attacks are only technically possible if the attacker has knowledge about the hardware used. Careful consideration of an in-house team also makes sense if the company is large enough.

Attack with USB sticks is not new – but the context has been adapted

For those who observe attacks in the scene, the use of USB sticks with ransomware does not seem new. FIN7 group is very creative and just known for using phishing attacks to distribute and activate with malware.

Thus, the group is already attributed a wave of attacks of a similar variety. At the time, however, it was in the name of BestBuy, a US electronics retailer in the States. The target group has also changed. At that time it was more hotels and restaurants.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.