Ransomware is a type of malicious software that encrypts files on a computer or network, preventing users from accessing them. The attackers demand a ransom payment in cryptocurrency in exchange for decrypting the files. Ransomware has become a major cybersecurity threat in recent years, with attacks on businesses, government agencies, hospitals and other organizations. One question many have is whether ransomware can spread through USB flash drives and other removable media.
The short answer
Yes, ransomware absolutely can spread through USB devices and other removable media like external hard drives. This is one of the most common ways ransomware propagates. The ransomware code itself or an infected file is stored on the removable media, and when the media is plugged into another computer, the ransomware gets installed and starts encrypting files. Users should be very cautious about plugging in any unknown USB drive as it may contain ransomware.
How ransomware spreads via USB
There are a few main ways ransomware can spread via USB drives or other removable media:
- Infected USB drives – The USB drive itself contains the ransomware code or an infected file that installs the ransomware when the drive is plugged in and accessed. The malware takes advantage of the auto-run feature in Windows.
- Dropped USB drives – Attackers may drop infected USB drives in parking lots or other public locations, hoping victims will pick them up and plug them into their computers, unintentionally installing the ransomware.
- USB drive-by attacks – Hackers may infect computers in internet cafes or libraries and set the ransomware to spread to any USB drive plugged into the computer. When users access the infected public computers and insert their USB drive, it gets infected with ransomware.
- Fake update files – Malicious files that claim to be software updates may be placed on USB drives. If the user thinks it’s a legitimate update file and installs it, the ransomware gets deployed.
- USB chargers – Some public USB charging stations could install ransomware on phones, tablets or laptops plugged into them to charge.
In all these cases, the ransomware is designed to immediately install itself and start encrypting files as soon as the infected USB drive is accessed on another computer. Even briefly plugging the USB stick for a few seconds could be enough to infect a computer in some cases.
Major ransomware attacks spread via USB
Some of the most damaging ransomware attacks in history were initially seeded through USB drives and other removable media. These include:
- NotPetya – This devastating 2017 ransomware outbreak that caused over $10 billion in damages started through a software update seeded on infected USB drives in Ukraine.
- Bad Rabbit – The Bad Rabbit ransomware attack in 2017 affecting Russia and Europe also spread via fake Adobe Flash update installers on compromised websites and infected USB drives.
- WannaCry – Analysis suggests the massive WannaCry ransomware worm in 2017 was likely seeded into networks when attackers infected unpatched computers and then used stolen credentials or exploits to infect any USB drive plugged into the computers.
In the case of WannaCry, once one infected computer existed within a network, the ransomware was designed to rapidly lateral move and infect any other unpatched computers including scanning for and infecting USB drives plugged into already compromised machines.
How to prevent USB ransomware infections
The key to preventing ransomware infections from USB drives or other removable media is exercising caution about plugging in any unknown device, and using security software to scan for threats. Steps to take include:
- Avoid plugging in any unknown USB drive found in public locations or received from unknown parties – it could very likely contain ransomware.
- Always scan any USB drive or removable media with up-to-date antivirus software before opening any files.
- Set Windows to disable auto-run on removable drives.
- Maintain strong IT security defenses on networks to detect ransomware behavior immediately if a USB threat makes it onto a computer.
- Regularly patch and update all systems – ransomware often exploits old vulnerabilities to spread.
- Be very cautious of any “update” files or “Flash installers” on USB drives – always verify authenticity.
Organizations should also develop clear policies prohibiting users from inserting unauthorized USB drives and removable media into company computers. With proper cybersecurity education for employees, ransomware incidents stemming from infected USB drives can be minimized.
Ransomware infection examples via USB
Here are some real-world examples of how ransomware was able to spread through USB drives and other removable media:
- Maersk Shipping – The NotPetya ransomware outbreak in 2017 that crippled global shipper Maersk started from an infected USB drive used to update software at an office in Ukraine.
- Hydro – The enormous Norwegian aluminum company Hydro suffered a major ransomware attack traced to infected USB drives used at production plants in the U.S. and Europe.
- Riviera Beach, Florida – This city government was hit with ransomware in 2019 later discovered to have sprung from an infected USB drive used by an employee.
- Davidson County, North Carolina – In 2019, ransomware hit this county government and investigators found it began with a single infected USB drive inserted into a computer in the finance department.
These examples clearly illustrate just how easily ransomware code on a small USB drive can end up compromising entire corporate networks and computer systems. Employee education is extremely important, as is blocking access to USB drives whenever possible through technical controls. If a malicious USB drive is able to make it onto a single system, aggressive lateral movement can allow ransomware to infect an entire network.
USB Drives as backup during ransomware attacks
During ransomware attacks, USB drives are extremely useful for making backups of critical data that may be under threat of encryption. As soon as a ransomware infection is detected, immediately unplug USB drives and use them to backup and save valuable files and data that have not yet been encrypted.
Backups on USB drives can serve as a means of recovering files after a ransomware incident without paying the ransom. Just be absolutely certain the USB drives themselves are not infected – scan them with malware detection software first before using them for backup.
USB drives and other removable media absolutely do pose a serious ransomware infection risk due to how easily malware can be stored on them and transmitted to computers once plugged in. But by following smart security practices like disabling autoplay, avoiding unknown drives, scanning all media and maintaining secure network defenses, organizations can stay protected. While USB drives are a common ransomware attack vector, they can also serve as a crucial recovery tool to safely back up and restore data without paying ransoms. So long as proper care is taken to ensure USB devices are clean before use, their physical mobility makes them invaluable for mitigating and responding to ransomware outbreaks.
Frequently Asked Questions
Can you get ransomware from USB drives?
Yes, USB drives are one of the most common ways that ransomware spreads. The ransomware code or infected files can be stored on the USB drive, and instantly infect a computer when plugged in.
Has ransomware spread by USB?
Many major ransomware attacks like NotPetya and Bad Rabbit initially spread via infected USB drives. Attackers distribute the drives, or plant them in public places, waiting for victims to use them.
Can ransomware transfer through USB?
Absolutely. Ransomware uses USB drives to transfer itself and spread to new computers. It can transfer via infected drives, or by infecting a computer and waiting to infect USB devices plugged in.
Can USB be infected with ransomware?
Yes, ransomware often directly infects USB drives to store malicious code or infected files that get transferred when plugged into new computers.
Is it safe to pick up USB drives?
No, it is generally unsafe to pick up and use USB drives you find in public locations as they may very likely be infected with malware like ransomware purposely left there by attackers.
How do I protect USB drives from ransomware?
Scan USB drives with security software before using them, disable autoplay features in your operating system, and restrict physical access to USB ports on computers to prevent infection.
Can ransomware infect USB during power off?
No, ransomware cannot infect a USB drive while a computer is powered off entirely. It needs an active operating system to spread and infect drives.
Will ransomware encrypt USB drives?
Some ransomware variants are designed to encrypt any external drives connected to an infected computer, including USB drives. So USB drives themselves can become encrypted by ransomware.
Can ransomware encrypt cloud storage?
If ransomware infects a computer with logged-in access to cloud storage like Dropbox or Google Drive, it can encrypt files in those cloud accounts that are synchronized locally on the infected computer.
Ransomware poses a major cyberthreat, with USB drives being one of the most effective vectors for propagation. While USB drives are tremendously helpful for transporting and backing up data, their ability to carry and spread malware means special security precautions need to be taken. Avoiding unknown drives, scanning all media, restricting USB access and maintaining network endpoint security controls are critical steps for hindering ransomware infections. Cybersecurity awareness training for employees can also go a long way towards preventing incidents stemming from infected USB drives.