Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB Flash Drive - Ransomware or Malware?


  • Please log in to reply
21 replies to this topic

#1 T-Ruth

T-Ruth

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 19 April 2018 - 05:50 PM

Sorry if this is the wrong forum to post this in.  This is my first time posting on these forums and I don't know how much information you will need to resolve this problem.

 

I was wondering if there's a way to confirm if a USB flash drive is free of viruses, malware, and/or ransomware?

 

I used this USB flash drive back on Feb. 23rd with a computer (Windows XP) that was a part of a network.  The server was infected with Ransomware and all the files on the shared network were encrypted on Feb. 25th.  Supposedly nobody used any of the computers on the network on the 25th, so I suspect that the infection happened earlier and activated the Ransomware at a later date (I don't know if this is even possible).

 

I always remove the flash drive from the computer when I'm not using it, however, since I don't know when exactly the infection occurred, I really don't know if it was infected or not.

 

The tech that was hired was unable to decrypt the files and couldn't contact the hacker to pay the ransom, so we ended up replacing the computer with Windows 10 and restoring some of the files from an older backup.

 

There are files I'd like to transfer from the flash drive to the new Windows 10 computer (Computer #1) and to an older spare computer running Windows XP (Computer #2), as the backup the tech used did not have copies of these files.

 

After avoiding the flash drive for weeks, I decided to test it out on Computer #1 (Apr. 3rd), since I thought Windows 10would be more secure.  After plugging it in, there was a notification saying "There is a problem with this drive. Scan the drive now and fix it."  I ran Windows Defender and the scan detected "no threats" on the USB flash drive.  I also ran a full system scan and it was also clean.


Since then, I have been saving documents to the flash drive and opening files on it (always while using Computer #1), but I've refrained from copying the flash drive's files to Computers #1 and #2 because of a lingering fear of infection.  Every time I plug it in, I always get the same notification to scan & fix it, but every time I scan it with Windows Defender, no threats are ever found.

 

It's been over two weeks now since I've tried inserting the flash drive and nothing bad has happened to Computer #1 (or the rest of the network for that matter).  I've avoided using the flash drive on Computer #2, because I worry Windows XP will be more vulnerable or the infection will only effect XP but not 10.

 

Questions:

 

1) MAIN QUESTION:  Is the USB Flash Drive safe to use (free of Ransomware, Malware, Viruses, etc.)?

 

2) Does Ransomware usually wait a period of time before activating or take awhile to encrypt files?

 

3) Are Windows Defender and Avast Antivirus even capable of detecting Ransomware or am I wasting time running scans with them?

 

4) Have I made a big mistake by opening files on the flash drive with Computer #1, and spread malware on the network?

 

5) Does Ransomware even make copies of itself and spread like viruses do?

 

6) I noticed is that the Flash Drive is supposed to have a size of 16 GB, but according to Windows Explorer, its total size is only 14.9 GB.  Is this just false advertisement of the product, or is something wrong with the flash drive?

 

Notes:


USB Flash Drive: SanDisk Cruzer Glide 16GB

 

Computer #1: Windows 10

 

Computer #2: Windows XP (Service Pack 3)

 

Windows Defender: Updates automatically (up to date) - for Computer #1

 

Avast Antivirus: Updates automatically (up to date) - for Computer #2

 

* The USB Flash Drive is usually plugged into a computer for 2 hours or less.  I very rarely leave it in for a long duration.

 

 

Thanks for your help,

 

- T-Ruth



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 19 April 2018 - 07:49 PM

Welcome to Bleeping Computer.

What type of crypto malware were you dealing with?

Crypto malware (file encryptor ransomware) typically propagates itself as a Trojan, although Zcrypt was a self-replicating virus Hybrid distributed via malicious email attachments, then spread through removable USB drives and WannaCry was a worm distributed via an email malspam campaign that spread by exploiting vulnerabilities in the Windows operating system. A strain of Spora ransomware and a variant of CryptoLocker was reported to spread via usb removable drives.

Trojans do not reproduce by infecting other files nor do they self-replicate. Instead Trojans spread via a variety of common vectors...opening a malicious or spam email attachment, executing a malcious file, web exploits, exploits, exploit kits, malvertising campaigns, non-malware (fileless) attacks, drive-by downloads, social engineering, scams and RDP bruteforce attacks against servers particularly by those involved with the development and spread of ransomware.Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. That explains why many security scanners do not find anything after the fact. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Emsisoft Anti-Malware, Malwarebytes 3.0, Zemana AntiMalware, RogueKiller Anti-malware and HitmanPro. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 20 April 2018 - 11:53 AM

First of all, thanks for the detailed reply.  Knowing that encrypted files don't contain malicious code is a big relief.

 

According to the tech, it was a combo of CryptXXX and Dharma.  Supposedly, the second one re-encrypted the first one.  Are these two particularly harmful to our computer/network?

 

All of the Windows Defender scans have so far been clean.  I just tried the ESET Online Scanner and it hasn't detected any threats either.  That being said, ESET only scanned the C:\ Drive, not the E:\ (USB) drive.  I haven't tried MalwareBytes yet, since I don't have administrator privileges on the Windows 10 computer.

 

You wrote that Ransomware typically removes itself and since the scan results have been good, do you think it is safe for me to use the USB flash drive with the Windows XP computer again?

 

To do an additional scan, I might have to plug the USB Flash Drive into the Windows XP (Service Pack 3), since that is the computer I have administrative privileges on.  Will plugging in the flash drive put this computer at risk?  If so, what should I do to properly protect the computer before running a scan?

 

I have Avast Antivirus installed and up-to-date on the Windows XP, will this be effective in detecting Malware / Ransomware?

 

Thank you,

 

- T-Ruth



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 20 April 2018 - 03:26 PM

CryptXXX was reportly delivered via the Angler Exploit Kit located on hacked sites or through malvertising and Trojan Downloaders such as Bedep. When a browser opens one of these exploit kits, it will scan the computer for vulnerable programs and attempt to exploit them to install and start the ransomware without your knowledge as explained here.

The ransomware is shipped to the victim as a delayed execution DLL which waits 62 minutes to launch – a function which makes it harder for the victims to connect the incident to the source of infection. Delaying the execution is also a known VM evasion technique, especially when using a random time of delay. It then encrypts the files found on the infected machine and adds to the filename the .crypt extension.

Check Point Threat Alert: CryptXXX Ransomware

There are several different variants of CryptXXX Ransomware with different file extensions appended to the end of encrypted filenames and one variant which does not use any obvious file extension. Any files that are encrypted with earlier versions of CryptXXX Ransomware will have the .crypt extension appended to the end of the encrypted data filename. Any files that are encrypted with CryptXXX 3.x will have the .cryp1, .crypz or a random 5 hexadecimal character extension (i.e. .ACoD4, .DA3D1, .73E61, .EF538) appended to the end of the encrypted data filename as explained here. The Microsoft Decryptor variant of CryptXXX 3.x encrypts files but does not append an obvious extension to the end of encrypted filenames. Any files that are encrypted with CryptXXX 4.x/5.x will have a random 32 hexadecimal characters (MD5 Hash).random 5 hexadecimal character pattern (i.e. 0412C29576C708CF0155E8DE242169B1.6B3FE) appended to the end of the encrypted data filename.

A repository of all current knowledge regarding CryptXXX is provided by Grinler (aka Lawrence Abrams), in the: CryptXXX Ransomware Help, Information Guide and FAQ.


Dharma Ransomware is a Trojan and a newer variant of CrySiS Ransomware distributed as malicious attachments in spam emails and disguised as installation files for legitimate software as explained here. Newer variants were reported to be involved in a campaign which used

RDP brute force attacks to compromise the victim’s system as explained here and here.

PROPAGATION MECHANISM
No mechanism has been detected allowing the propagation of this harmful code to other devices; it does not exploit vulnerabilities in remote systems or attack the credentials of other devices/services. The malware behaves basically like a “Trojan-ransomware”, meaning human intervention is necessary for the activation of its malicious code (manual execution)... it has been determined that the initial
infection vector for distributing this type of malware is usually the RPD (Remote Desktop Protocol).

Ransomware from the Crysis/Dharma family Report

There are several variants of Dharma (CrySiS) Ransomware with different file extensions to include .dharma, .wallet, .onion, .zzzzz, .cezar, .cesar, .arena, .cobra, .java, .write and .arrow.

You may want to check out this List of Free Scan & Disinfection Tools that allow drive selection
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 23 April 2018 - 10:27 AM

1) I see that CryptXXX has a delay of 62 minutes before launching.  Since it's been about 3 weeks since I started plugging in this USB flash drive again (on Windows 10), do you think this means the Angler Exploit Kit is not on this flash drive?
 
2) Since both CryptXXX and Dharma have different ways of propagating, how do you think our network got infected by both?  It seems so unlikely that on the day we get infected by an exploit kit, we would also get infected with a Trojan.
 
3) I checked the "List of Free Scan & Disinfection Tools" you linked to.  Which ones don't require installation?  I tried downloading "SuperAntiSpyware", but when I ran the .exe, I was prompted for an administrator's password.
 
Thanks,
 
- T-Ruth


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 23 April 2018 - 03:25 PM

Many of these tools are stand-alone applications contained within zipped files...meaning they require no installation so after extraction, they can be copied to and run from usb drives. Scroll up to Post #2 for a more comprehensive list. I have not used them all so I cannot confirm which ones have the option to choose which drive to scan...you'll need to test them and confirm.

Exploit kits are only one method to spread ransomware. Section :step2: in this topic explains the most common methods Crypto malware (file encrypting ransomware) is typically delivered and spread.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 23 April 2018 - 04:29 PM

Okay, it looks like I can't run any .EXE files without an administrator's account due to the heightened security settings on the Windows 10.

 

  1. I might have to scan the flash drive with the Windows XP (Service Pack 3).  Is there anything I should do to prep this computer before attempting to plug the flash drive into it?
  2. If the scan of the flash drive does not detect any threats, should I consider it safe to use?
  3. Lastly, would reformatting the USB flash drive get rid of any malware / ransomware that might be hidden on it?

Thanks again,

 

- T-Ruth



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 23 April 2018 - 06:08 PM

XP is more vulnerable so it's import autorun is disabled and you are not connected to the net. However, there is no way to know whether or not other malware was dropped and lurking about. I would be more cautious unless the computer I used had nothing important on it and could easily be reformatted/clean install if something went awry. If I didn't have access then I would be more inclined to just scan with a LiveCD/Rescue CD/USB which should allow you to scan the usb drive.

LiveCD/Rescue CD/USB utilities are tools provided by most anti-virus vendors to assist with difficult to remove malware without having to boot into Windows. They are primarily used to boot from and repair unbootable or damaged systems, rescue data, and scan the system for malware infections. With a bootable virus scanning utility, you create a flash drive or CD/DVD disc from a working computer and then use it on an infected machine to scan the hard drive for malware. These types of utilities permit offline scanning which can disinfect malware from outside the infected Windows system. The advantage of offline scans is that they can be used when the malware is not running and interfering with the clean-up process. Rescue CD’s typically come as an ISO image file that can be written to a CD or installed on a USB flash drive which is then used to boot-up the computer to run the live operating system in memory.


List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 24 April 2018 - 10:15 AM

I'll see if I can create a Rescue USB.  My computer skills / knowledge is a bit limited.

 

If I'm unable to do this, would reformatting the USB Flash Drive clean it of any viruses, malware, or ransomware?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 24 April 2018 - 10:49 AM

If I format or erase my hard drive will it remove a virus?

If your computer is infected with a virus, formatting or erasing the hard drive and starting over will almost always remove any virus.

 

How to Remove a Virus From a Flash Drive

4...you may wish to reformat your thumb drive. Reformatting your USB drive will remove all existing data from the drive, providing you with a clean, virus-free device.


How do I clear everything (data, viruses) from a thumbdrive?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 25 April 2018 - 10:00 AM

I scanned all of the files on the flash drive with Windows Defender before moving them to a desktop folder on the Windows 10.

The flash drive was empty (I have Windows Explorer set to show all hidden files and folders), but a Windows Defender scan result claims there were 8 items scanned.

I reformatted the flash drive to be on the safe side. Afterwards, I scanned the now empty and reformatted flash drive again with Windows Defender. No threats were detected, however, according to the scan results there are 2 items on the flash drive. Whatever these 2 invisible files are, Windows Defender doesn't consider them to be a threat.

Questions:

1) Is it normal for an empty flash drive to still have invisible items in the scan results?

2) I selected "Quick Format" for formatting the flash drive. Is this less thorough? Should I have unchecked this option and performed a full format?

3) Even after formatting, the flash drive does not have 16GB of free space. According to Windows Explorer, the total size of the flash drive is 14.9GB. Is this normal?

 

Thanks,

 

T-Ruth



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 25 April 2018 - 03:06 PM

By invisible do you mean hidden? And yes it is possible...some usb manufacturers include hidden files, software.

When you choose to run a Full format on a volume, files are removed from the volume that you are formatting and the hard disk is scanned for bad sectors. The scan for bad sectors is the reason why the Full format takes twice as long as the Quick format.

If you choose the Quick format option, the format removes files from the partition, but does not scan the disk for bad sectors. This option is best when your hard disk has been previously formatted and you are sure that your hard disk is not damaged nor has bad sectors. This can be a problem later because bad sectors that are not located can cause damage to the hard drive. For example, if data is later installed on this “bad sector”, the data will read errors or as corrupted files.

In simple terms, a Full format will truly scrub through the hard drive from scratch, rebuild all of its file structures, and scans the drive to make sure that everything is on a satisfactory level. On the other hand, what a Quick format does is lay down a blank FAT and directory table without checking for bad sectors.

Tech Myth #2 Quick Format vs. Full Format
What is the difference between a quick format and a full format?

Yes, there can be some discrepancy in the actual size indicated by the manufacturer and what it actual shows in Windows Explorer when you right-click and choose properties. The manufacturer may round off and include hidden files/software.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 25 April 2018 - 06:13 PM

Windows Defender claims it scanned "2 files", but when I look at the USB flash drive with Windows Explorer it doesn't show anything on the drive.  I already have the folder option set to show all "hidden files and folders", but I can't see them, so I don't know what those 2 files could possibly be.

 

I just tested out Windows Defender again, this time scanning an old Excel spreadsheet.  Despite the fact it is just one spreadsheet, the result claims it scanned "16 files".  It's like there's a bunch of files that simply don't show up for some reason!

 

T-Ruth



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 25 April 2018 - 06:53 PM

I never used Windows Defender but I found this explanation at the Microsoft Answers forum.

You could always do a Google search for the manufacturer of your usb drive and ask them about hidden files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 T-Ruth

T-Ruth
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 26 April 2018 - 03:06 PM

Thanks for the link!  I read through it and I was wondering what a "dependence process" is?  I tried a Google search for the term, but I can't find anything computer related.

 

I've completed a full format about half an hour ago.  Windows Defender still says there's 2 files on it for some reason.  Since the flash drive is really 14.8GB instead of the advertised 16GB, I'm guessing there's something in the flash drive necessary for it to function, and that's probably what those 2 files are for.

 

Anyway, I went and individually scanned the files before moving them back onto the flash drive.  Interestingly, some files count as several files!  For example, a single JPG would normally count as 1 file, but a few JPGs counted as 2 files, and one even counted as 475,682 files.  The file size itself wasn't too big, but what they had in common were long names.  When I renamed the big "475,682" file to a shorter name, it dropped down to 2 files.

 

Also, different types of files would be counted differently.  PDF files usually counted as more than 1 file, as did some spreadsheets.

 

T-Ruth






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users