Last week, the Federal Bureau of Investigation has warned government organizations and private businesses that ransomware-infested USB sticks have been shipped across the United States by a ransomware group called FIN7 (Vaas, 2022). Concerningly, FIN7 has masked its packages to appear authentic and originating from Amazon and/or federal agencies. FIN7’s objective is to compromise the software and hold the organization hostage after an unfortunate employee connects their electronic devices to the infected USB (beginning the virus’s installation).
This is disturbing, especially in the present pandemic as most of the population requires adequate software and internet services to remain connected to their day-to-day duties (such as with their office). Although the story from Vaas (2022) is reportedly occurring in the United States, the same problem exists in Canada. Malware has become a serious concern since the start of the pandemic with Canada’s own federal cryptologic agency, Communication Security Establishment, raising alarm bells that malware attacks are becoming more aggressive—specifically targeting critical economic infrastructure and individual Canadians (Reuters, 2021). Since the pandemic began, ransomware attacks have grown in popularity with renegade groups. In 2021, victims of malware attacks have lost, on average, over two million dollars which is double the financial losses reported in 2020 (Reuters, 2021).
But how can someone be tricked by a random USB stick? Surprisingly, this ransomware tactic is very effective in producing results. For example, a study back in 2016 tested this USB-tactic by having nearly 300 USB sticks dropped around a university campus. What the study discovered was that nearly half of the found USB sticks were, in fact, plugged into personal devices by both students and staff (Tischer et al. 2016, p.1). The reason why these individuals connected these USBs to their personal computers was due to their sincere intention of finding the original owner of the device and returning it (Tischer et al. 2016).
In this pandemic, this tactic remains dangerous for unsuspecting individuals. Groups like FIN7 are exploiting individuals that are acting out of personal curiosity and a desire to identify the device’s original owner (and return it). But masquerading their infected devices as government property will mean more people may be willing to believe the device can actually be trusted. Since USBs are easy to produce they are ideal for attacking multiple agencies with little effort.
But how can one identify if their devices are safe to use? Vaas (2022) provides a few steps to steer clear of an infected USB device:
- Do not plug in an unknown USB device, especially if you do not know who the original owner is.
- Install “endpoint protection software” which monitors new devices that have gained access to your software.
- Follow the protocol called “CAP”: cap the number of external software entry points, reduce internal access points, and patch unknown entry points.
This is not just about securing the country’s own vital economic infrastructure but securing your own personal information and devices. The last thing any of us students want is to lose our data and research projects to a USB that supposedly has the Final Exam’s Answers.
References
Reuters. “Ransomware attacks soar, hackers set to become more aggressive – Canada spy agency.” Reuters, December 6, 2021. https://www.reuters.com/technology/ransomware-attacks-soar-hackers-set-become-more-aggressive-canada-spy-agency-2021-12-06/ (Accessed January 16, 2022).
Tischer, Matthew, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, and Michael Bailey. “Users really do plug in USB drives they find.” In 2016 IEEE Symposium on Security and Privacy (SP), pp. 306-319. IEEE, 2016.
Vaas, Lisa. “FIN7 Mails malicious USB sticks to drop ransomware.” Threat Post, January 11, 2022, https://threatpost.com/fin7-mailing-malicious-usb-sticks-ransomware/177541/ (Accessed January 16, 2022).
I do think this is a funny topic given how we all responded “the user” when asked about the biggest threat to security. I do have to wonder how ineffective this scam could be rendered by simply educating people about the mere possibility of it; most might think a USB is innocuous, and therefore safe, whereas even most do-gooders I imagine would be unwilling to put themselves at serious risk simply to return a storage device.
Masking the malware to look like government property, or innocuous online deliveries, makes this scheme much more dangerous though, especially in the context of the pandemic. I wonder if increased interactions with services like Amazon, or government institutions through means of information has dulled people to irregularities. After living abnormally for so long, this trick becomes much more believable despite its somewhat obvious nature, which has probably contributed to its impact as well as our reliance on the internet these days.
Good post!
This seems like a strange way of going about distributing ransomware. You’d think members of FIN7 would be wary of shipping a physical product, which could potentially be traced. Most ransomware is distributed through the internet, which tells me that if authorities cannot trace FIN7 operatives through a combination of shipping addresses, DNA, and CCTV footage, they are fairly well organized and professional (obviously they are since they have been active since 2015). It backs up the Reuters article: as society becomes more digitalized and the payout for attacks becomes greater, cyber criminals will carry out attacks in a more sophisticated and professional manner. It’s almost irrelevant referring to them as cyber criminals; they are really just criminals nowadays.
It’s funny how when defenses for sophisticated virtual attacks improve, attackers go back to old school methods with great success. Great post!
This was a very fun read. I was surprised to find out over half of the students plugged in the unknown USB device into their personal computers. I guess curiosity as well as kindness to return the drive to its original owner gets users. Even though most of these attacks seem pretty simple to combat, like don’t plug in an unknown USB; I believe its the curiosity that gets the better of people. I think that security and privacy literacy should be emphasized in society and taught at a young age so individuals can help protect themselves from such attacks. Great post!
This just seems to show that even nowadays when computers are not as novel that people act with a lack of care in plugging in things into their computers. Reading this post it gives me vibes from the past where people would put CD gotten on the street into their computers to listen to a mixtape and infect their computers with malware. This seems to show that the user is always going to be the weakest link even more so as cyber security progresses. However, I do wonder how the government could even dissuade against packages impersonating them or large companies, as they would need to sort through all the packages and somehow recognize which package are legitimate or fraudulent. This post was a very interesting read on how people are likely to put USBs into their computers and I really enjoyed reading the study on how students would respond to the dropped USBs.
I personally didn’t know how dangerous USB’s could be until now! I think its crazy that FIN7 can replicate Amazon’s packages to make it seem like there were USB’s sent by them, and I guess people don’t consider how plugging in an unknown USB can possibly infect their computer with virus’s and malware. This was a great post and more people should be aware of this, well done!
The ransomware virus, which exploits people’s goodwill or curiosity to spread, is indeed one of the hardest problems to solve. I’ve come across a few malicious viruses, but they tend to be hoaxes rather than ransomware. I think the way to minimize this situation is to increase the dissemination of relevant knowledge. I don’t know if it will work on USB devices, but it’s a good solution to run on virtual machines when using software from other sources.
It comes to really show that curiosity really did kill the cat. USB devices or really any form of storage device generally does invoke a user to be curious on what kind of data is kept on it (since it really is the only way to check) by unknowingly plugging it into their system; I believe that creating a sandbox layer which some antivirus software is the current optimal method of generic user safety. Beyond FIN7, I believe that this technology has actually evolved even further as there now exist charging cables which eliminate curiosity all together and simply put us at risk for an everyday essential routine.
Good read!
That was a well written post! I got to know that USB storage devices have long been a plague to companies’ data security recently. Like these devices in general seems to be innocuous, but it has really the potential to cause many problems for a user or an organization. I believe that people should start getting aware of these kind of storage devices and be cautious on plugging any unknown USB in their own personal computers as these storage devices can install malware inside of any firewalls set up on your PC or network and you might not be able to detect the malware until major damage has been done.
One of the most difficult problems to overcome is the ransomware virus, which spreads by exploiting people’s goodwill or curiosity. I’ve encountered a few nasty infections, but they’re more often than not hoaxes rather than ransomware. I believe that increasing the transmission of relevant knowledge is the best method to alleviate this predicament. I’m not sure if it will work on USB devices, but it’s an excellent way to execute software from other sources on virtual computers.
Ransomware seems to be a central post on this blog. I think there should be more to be done to prevent ransomware attacks from occurring. However, this is the first time I heard of a USB transmitting a ransomware attack. I would assume the trouble it would take to execute a single ransomware attack. Clearly, nowadays, Ransomware attacks can be more easily conducted through the web rather than through USB as it is more efficient and applicable. Nonetheless, it is important to keep in mind of the turmoil that could be initiated with USB ransomware attack and security analyst should be mindful of the arsenal attackers have at the disposal.
Interesting post! But curiosity is also really dangerous, because most of the time, when I see a usb stick, my first instinct is to plug it into my computer for no particular reason, maybe it just the excitement of not knowing what you are going to see when you plug it into your computer. But after reading this post, I know better not to do that anymore.