When ransomware can attack organizations via USB drives and cables, best practice backup and security becomes even more critical
By Jon Fielding, Managing Director, EMEA Apricorn
Earlier this year, the FBI uncovered that a cybercrime group had been mailing out USB sticks in the hope that recipients would plug them into their PCs which would then install ransomware on their networks. UK businesses should be taking note of the trend for cyber criminals to adopt such strategies – which, more often than not, can prove effective and even damaging for organizations.
In particular, ransomware attacks have resulted in record financial payouts to criminals in 2021, just to ensure business continuity. The 2022 Unit 42 Ransomware Threat Report found that the average ransomware payment rose 78% last year to $541,010 (£414,193). Ransom demands soared by 144% to reach an eye-watering average of $2.2m (£1.7m)
Criminals will try any and every avenue to get inside access to an organisation – either physically or virtually. Ransomware-by-thumb-drive is just a new avenue that builds on the old badUSB exploit, dating back to 2006 – when an auto-run vulnerability was discovered that automatically executed malicious payloads when an ‘infected’ device was loaded.
If a USB stick with corrupted firmware can be sent to the right people in a spear phishing attempt, alongside messaging or other communication of a convincing story that means the drive in question gets used, criminals can easily gain a point of unfettered access to a network. The same attack, leveraging badUSB, can now be delivered through a simple USB cable which, to the naked eye, looks like any other cable.
How to spot and mitigate a bad USB in 2022
Unfortunately, because badUSB threats are Trojan horsed in simple human interface devices, they can be almost impossible to detect if not picked up by constant monitoring of the specific endpoint. Unknown USB devices cannot be trusted – yet Apricorn’s survey reveals that often, trust is misplaced. This means that organisations increasingly need to ensure mitigation is already in place at all times.
Typically, this must be achieved without resorting to a blanket ban on USB-enabled devices, which are ubiquitous and frequently vital today when it comes to moving and storing data, especially in a hybrid working environment where some work from home, and others in the office.
The good news is, mitigations can be easily and affordably achieved by mandating the use of corporate-standard USB devices with high-level encryption and firmware implemented in a way that makes it impossible to modify for this exploit – right across the entire organisation.
The policy can then be enforced by locking down USB ports on employee machines to ensure they can only accept an approved USB device.
Of course, such a policy will also cover off the need for a solid 321 backup strategy that requires a secure offline, off-site back-up of all critical data along with a further copy on another medium or in the cloud, for disaster recovery should the worst happen regardless.
Over half of the US and UK organisations we polled in late 2021 revealed that they had lost data due to inadequate backup procedures.
Even government departments can fall prey to such oversight – luckily, our own investigation revealed that many also encrypted their data – another key to threat mitigation overall. All data should be encrypted, whether in transit or in storage, to ensure that even if information falls into the wrong hands, it cannot be accessed.
Modern software-free, 256-bit AES XTS hardware-encrypted USB drives can therefore play a critical role in covering off many critical security and privacy requirements, while maintaining fast, convenient access for approved users at all times, wherever they are working.
Backed up with workforce-wide education – including at management level – around the threat, specifying the risks associated with using unsanctioned USBs as well as the role employees must play in countering such threats, operate as a strong, effective defence in most circumstances, as part of a multi-layered security strategy.
About the Author
Jon Fielding, Managing Director, EMEA Apricorn. Jon is responsible for Apricorn’s EMEA sales and operations strategy, driving revenue growth and establishing its channel network. CISSP-certified, he’s been focused on information security for 23 years, working with organisations ranging from IBM to start-ups including Valicert, Tumbleweed and Ironkey. In his last three roles, Jon has been first in region and tasked with establishing the company into EMEA. He has specialised in data encryption and storage for the last 10 years Jon can be reached online at Jon Fielding | LinkedIn and at our company website www.apricorn.com