You just got a free USB flash drive in the mail as part of a Best Buy promotion. You are psyched, because in this age of portable media, you just lent your last USB stick to a colleague and was about to head to the store to buy a new one.

What good fortune!

So, you plug that flash drive into your USB port and – BOOM! – you get a black screen of death with a notification that your computer is locked and will remain that way until you deposit $2,000 worth of bitcoin into the hacker’s account.

As bad as this scenario is, it could be worse. At the time of “detonation,” your computer could have been connected to the corporate network, with the result being that whatever virus was on that USB flash drive is now spreading like wildfire across your entire company.

Sound implausible? If so, then consider this:

Late last year, the FBI reported that an alarming number of companies received fake packages from Amazon that included malicious USB flash drives. The enclosed USB sticks, which have been traced to the Eastern European cybercriminal group, FIN7, were loaded with malicious software that could have given the cybercriminals network access for the purpose of deploying ransomware.

3 Most Common USB Flash Drive Threats

There are three main types of USB flash drive attacks that you could fall victim to, leaving both your data and the data of the company you work for vulnerable to ransom or total and complete obliteration.

  1. Malicious Code: Hackers use USB sticks to infect computer with malware. The moment you insert the USB flash drive into your computer, code is installed. You may never know of the breach, giving hackers the opportunity to steal passwords, credit card and banking information, and more.
  2. Social Engineering: Social engineering attacks attempt to fool the user by impersonating someone you know, such as your delivery company or your bank. Once you plug in the flash drive, you are taken to a fake website that looks legitimate but is anything but. If you are fooled into entering your login credentials, then the hacker has direct access to whatever website you thought you were visiting.
  3. Human Interface Device Spoofing: This type of USB flash drive attack registers the thumb drive – once plugged in – as a Human Interface Device keyboard, which allows it to operate even with removable storage devices toggled off. It can then use keystrokes to place malware on your computer and potentially deposit and fire up additional rogue files. The end goal? To deploy ransomware on the compromised network.

How to Protect Yourself – and Your Data

The easiest and most effective way to prevent yourself from a USB flash drive attack is to never use USB flash drives – ever. That said, with today’s need for removable and portable media, which has been largely driven by the vast number of people now working between home and office, it is not realistic to think that the USB flash drive industry is going out of business anytime soon.

So, instead of never using any USB flash drive, you should avoid plugging in any thumb drive whose source or chain of command is unknown. This holds true for flash drives you lend to colleagues and flash drives they lend to you. Not knowing exactly where that flash drive has been – or what infected device it has been plugged into – you’re better off not using thumb drives that are lent to others and then returned.

If that is still too much to ask, then disable Autorun for Windows. The Autorun feature enables removable media devices such as USB drives and CDs to open automatically when they are inserted. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.

The Best Protection of All

To reduce the chance that a rogue USB flash drive will bring your organization to its knees, it is a good idea to install physical port locks on all computer and network ports throughout your company. These nifty little devices cost as little as a couple bucks each but have been proven to effectively protect networks from malicious USB flash drives – and other removable media.

USB port locks are the best insurance against those ultra-curious employees who receive USB flash drives from Amazon, plug them into their work computers, only to discover that those flash drives were Trojan horses send by FIN7, not Amazon.