Cybercriminals have been sending USB flash drives laced with ransomware to US businesses. Find out how this attack works and what to do about it.
If you receive a USB flash drive in the mail that you were not expecting, resist the urge to plug it into your computer. Cybercriminals have been sending USB drives laced with ransomware to US businesses, according to a security alert issued by the US Federal Bureau of Investigation (FBI) on January 6, 2022. The attackers have been using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the malicious drive.
FIN7 Behind the BadUSB Attacks
A cybergang named FIN7 carried out the attacks. It modified off-the-shelf USB drives so that they became what is known as BadUSBs. “BadUSBs are virtual keyboards that can be programmed in advance to type out characters on a computer without physically doing so,” according to security experts.
BadUSBs automatically start running when they are plugged into a computer. They are able to execute preloaded commands extremely fast, including any that require pressing two or more keys simultaneously. This means they can access the Elevated Command Prompt on Windows devices to execute commands with administrative privileges. The BadUSBs just need to type “Win+R” to open the Run dialog box, enter “cmd”, and then type Ctrl+Shift+Enter.
FIN7 programmed its malicious USBs to execute PowerShell commands that:
- Registered the USB drive as a Human Interface Device (HID) Keyboard with a Vendor ID (VID) of 0x2341 and a Product ID (PID) of 0x8037. The cybergang used this registration so that the BadUSB would work even if the ability to use removable storage devices was disabled in the Local Group Policy Editor.
- Downloaded and installed a ransomware variant (typically REvil or BlackMatter) and the tools needed to deploy it.
- Launched the ransomware variant on the employee’s computer and any other devices that the BadUSB was able to compromise in the company’s network.
To entice employees to plug the malicious USB drives into their computers, the cybergang turned to phishing tactics. In some of the attacks, it impersonated Amazon and sent a decorative gift box. The box contained a letter thanking the recipient for being a loyal customer, a counterfeit gift card, and a BadUSB that supposedly listed the goods for which the gift card could be used.
In other attacks, FIN7 impersonated the US Department of Health & Human Services (HHS) and sent companies a letter and a BadUSB that supposedly listed new COVID-19 regulations. The letter was made to look like an official document from HHS. The recipients were instructed to read the new regulations on the malicious USB drive and then go to a specified website, where they would need to confirm that they have read and applied them.
The recent campaign isn’t the first time FIN7 carried out BadUSB attacks. In 2020, it pretended to be the Best Buy electronics chain in a campaign that closely resembled the Amazon one just described. And it won’t be the last time the cybergang sends malicious USB devices to companies. As a result, businesses need to be prepared for this type of attack.
Possible actions to help detect and prevent BadUSB attacks include:
- Create a companywide policy. The policy could state, for example, that employees are not allowed to insert any unknown USB drives into their computers without having the drives checked by the company’s IT team first.
- Implement a monitoring system. Companies can monitor their computers for specific behaviors (e.g., a keyboard being used to type faster than humanly possible or a USB device with a VID of 0x2341 and PID of 0x8037 being inserted) and perform an action when it occurs (e.g., stop a process or send an alert). One downside of monitoring systems, though, is that some BadUSBs might execute their payloads before the solution can identify the behavior and act on it.
- Limit or prevent access to the Elevated Command Prompt. By making a registry edit, businesses can set a password for running CMD as an administrator. This will prevent commands that need administrator privileges from executing. Alternatively, companies can prevent access to the Command Prompt entirely using Group Policy.
- Disable the ability to use removable storage devices on employees’ computers using the Local Group Policy Editor or Group Policy Objects. Although this security measure won’t prevent FIN7’s BadUSBs from working since it is registered as a keyboard, it can help harden employees’ computers against other less-advanced USB attacks.
- Install USB port blockers to physically impede access to USB ports. After they are installed, a key is used to unlock and lock the port.
- Use an advanced solution specifically designed for device control. These solutions use a variety of tools and processes (e.g., monitoring, white-lists, policies) to prevent employees from inserting unvetted USBs in their computers.
Each of these solutions have their pros and cons. We can help you determine which one is best for your company.