In the past month, Microsoft has detected a USB worm that can lead to ransomware infections on three thousand computers of about a thousand organizations. The USB worm can also spread because organizations enable AutoRun, a feature that is disabled by default in Windows for USB sticks for security reasons. Microsoft makes this known in an analysis.
The worm is called Raspberry Robin and can spread in two ways. The first way is to use rogue lnk files. These lnk files pretend to be a legitimate folder on the infected USB drive or bear the name of a USB drive manufacturer. In reality, opening the lnk file installs malware on the system.
The second method used is to use AutoRun. With this functionality, software on, for example, USB sticks can be started automatically as soon as the device is connected. Years ago, AutoRun was widely used to spread malware via USB sticks. Microsoft decided to limit the functionality, so that it does not work by default for USB sticks. However, many companies use AutoRun for USB sticks, Microsoft claims.
Once active, Raspberry Robin adds a registry key so that the malware is loaded every time the system is booted. The usb worm can then install additional malware. Ransomware groups also use the access that Raspberry Robin offers to then roll out ransomware within the affected organization. For example, several infections with the usb worm have led to infections with the infamous Clop ransomware. To counter the threat, Microsoft advises not to enable AutoRun for USB sticks and other drives and to block untrusted and unsigned processes from USB sticks.