2021 / Awareness / Phishing / Risk management / Uncategorized

USB sticks with ransomware – FIN7 hacker group uses hardware!

USB sticks with ransomware – FIN7 hacker group uses hardware!

Having USB sticks with ransomware in the real mailbox is an unusual, even if not unrealistic, scenario. In the past, many companies have prepared for this eventuality with various measures. A current case shows that even this threat scenario cannot yet be put ad-acta.

The defense industry in the United States is huge. Some packages, disguised as a gift box or Covid-19 guideline, were delivered. Included were USB sticks with malware. The way of the technology is not particularly innovative.

USB sticks with ransomware log on to the system as a keyboard

Basically, behind the attack is a BadUSB stick with great aspects of a sophisticated social engineering campaign. Thus, the packages are sent in the name of the U.S. Department of Health and Human Services(HHS) rather than anonymously. Also, the USB stick is not the only content. The damaged hardware is accompanied by other letters and information. The recipients were not left alone with the packages. Numerous calls were made to force the insertion of the USB stick. The attack is by no means new.

Once a recipient decides to connect one of the USB sticks with ransomware, they log into the system as a USB keyboard. This opens the door for entries that are otherwise to be prevented by numerous measures. Even blocking or prohibiting USB storage devices does not help at this point.

Allowed devices should be determined. The corresponding hardware IDs can then be allowed according to the whitelisting principle. Attacks are only technically possible if the attacker has knowledge about the hardware used. Careful consideration of an in-house team also makes sense if the company is large enough.

Attack with USB sticks is not new – but the context has been adapted

For those who observe attacks in the scene, the use of USB sticks with ransomware does not seem new. FIN7 group is very creative and just known for using phishing attacks to distribute and activate with malware.

Thus, the group is already attributed a wave of attacks of a similar variety. At the time, however, it was in the name of BestBuy, a US electronics retailer in the States. The target group has also changed. At that time it was more hotels and restaurants.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.