Beware of Bad USB Attacks: New ransomware campaigns come via stick

27. January, 2022

Tip #1 first: Never plug in an unknown USB stick!

More than 20 years ago, USB sticks replaced the unwieldy and notoriously unreliable floppy disks. Since the beginning of development, however, the basic structure of the versatile USB interface has suffered from considerable weaknesses. There are only insufficient safeguards against misuse and deception.

As early as 2014, it was pointed out at the Black Hat Conference that harmless USB devices can simply be reprogrammed and connect as a malicious device. This type of attack was called “Bad USB”. [1,2] In various scenarios, a USB stick can register itself as a keyboard or other input device and thus introduce arbitrary commands into the system under the current user account.

What dangers can USB sticks pose?

In 2016, a Google researcher distributed around 300 USB sticks in public places. The car parks and entrance areas of companies were particularly popular. His experiment was quite successful: about 50% of the data carriers were plugged in and the files contained on them were opened. [3] Comparable scenarios are conceivable for the most diverse types of malware:

  • Redirecting the user to fake websites in order to access confidential data
  • Exploiting security vulnerabilities in applications by executing infected data
  • Impersonating input devices and executing actions and commands as the user.

However, this is far from all that is technically possible and conceivable. Israeli security researchers back in 2018 described 29 different ways attackers could use USB devices to compromise users’ computers. [4] All these attacks can be carried out not only with USB sticks, but also with modified USB charging cables.

Warning against campaigns with prepared USB sticks

At the beginning of January 2022, the FBI warned of a new ransomware campaign. Hacker groups send USB sticks by post to selected employees of various companies. These mailings are disguised as harmless information campaigns from known senders, e.g. on the Covid pandemic or as vouchers for well-known online shops. [5,6] By inserting the USB storage media, the recipients indirectly help to infect their own company with ransomware.

“Actually, this is old hat,” comments Markus Riegler, Head of Managed Defense at IKARUS: “The prepared USB stick is actually a keyboard that is automatically installed and activated by the operating system through plug and play. This executes the keystrokes stored on it – as if the attacker were sitting in front of your computer, logged in with your account.” The risks are enormous.

Recommendations and information to employees

Recognising Bad USB attacks is difficult and not an easy task even for admins. Especially foreign or unknown USB sticks, but also other USB accessories in general, should always be treated with caution.

Technically, it is possible to only allow known accessories on end devices based on the USB ID. However, due to the administration of the many different USB devices, this is not always practicable. An isolated test device in internal IT is suitable for checking unknown devices.

The easiest way to address the risk is to make employees aware of the imminent dangers and to specify exactly which devices or gadgets may or may not be used in the company network. Inform them about the impending dangers and e.g. stipulate that USB devices found or received must be handed in to IT for inspection and may under no circumstances be plugged in without prior authorisation.

In the private environment, the simple but effective expert recommendation is: never plug in unknown USB sticks that come via the post, are found or are distributed on the street! This way you reduce the risk to zero.



26 Software Bugs in USB Devices

Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download