NEW YORK — USB thumb drives found by the FBI throughout the main cities in the US contains a new variant of a known so-called “ransomware,” but the method of randomly scattering it around suggests that an amateur lies behind the attack. “It’s a very strange way to spread this kind of thing on,” says a field agent who wishes to remain anonymous.
Several independent sources report on USB thumb drive were located in Manhattan in New York City, where a large number of tech companies conduct their research. Today, we can reveal that the thumb drives contain a new variant of a previously known ransomware for Windows, which in security firm Eset’s virus database is referred to as “Philadelphia.”
A security specialist at Eset analyzed the code in one of the found USB thumb drives, and he is baffled by the contents. “It’s a pretty common type of ransomware, but it’s a very strange way to spread it on,” he said.
One of the reasons why Craig Stephenson believes that the distribution method is peculiar is that the evil code on the thumb drives not automatically run when you insert it into a computer. Instead, the creators seem to bet that those who find the thumb drives not only insert them into his or her computer but also double-click the binary that is on it.
“You could just as well have sent out a bulk email with the infected files attached. It had probably been cheaper and a lot more efficient,” says Craig Stephenson.
The most evidence, therefore, suggests that the perpetrator who tried to carry out the attack is an amateur.
Security companies have known about the ransomware “Philadelphia” since September last year, but someone recently tweaked the code and produced a new variant of it. According to Craig Stephenson’s analysis, the code was compiled as late as on March 11th, that is to say, just a few days before they started to appear in the main cities across the nation.
After a few calls, Craig Stephenson confirms that the program found on the USB thumb drive is a ransomware which can be bought on the black market. In Italy and Slovakia, two European countries, the same variant appeared, almost at the same time as memories were found in the US.
The user name on the computer that compiled the program suggests that it is an American user, due to a recovered bitcoin address that was reverse engineered from the source code of the program and traced to transactions within the country.
Another remarkable detail revealed itself when Craig Stephenson managed to recreate a large number of deleted files from the thumb sticks. Most of them turn out to be holiday photos from, what seems to be, an ordinary family in Australia. The photos are, according to the metadata, taken several years ago.
“There is not much to suggest that this family has anything to do with this ransomware. It is more likely that we are looking at old and recycled hardware,” says Craig Stephenson.
For those affected by the ransomware, that is to say, those who fell for the temptation and ran the binary that is located on the thumb drives, Craig Stephenson has good news. It appears relatively easy to decrypt the files that the program encrypts and keeps hostage. ESET has already added it to their database and is likely more security companies do the same if it hasn’t been done already.
“There is no hint whatsoever that it would be difficult to restore any lost files, but of course I would advise everyone no never run an unknown binary on your own computer,” he concluded.