Ransomware continues to be one of the most destructive cyber threats organisations can face. The biggest ransomware attacks in recent history have caused widespread operational disruption, financial loss, and reputational damage. While remote attacks often dominate headlines, physical media such as USB drives and external storage still play a significant role in malware propagation. Proper USB hygiene cybersecurity, such as controlling, scanning, and managing removable devices, could have reduced the impact of several high-profile incidents.
This article explores five of the worst ransomware attacks and examines how better USB and removable media practices might have mitigated their consequences.
1. WannaCry (2017)
WannaCry is often cited among the biggest ransomware attacks due to its unprecedented global impact. Striking in May 2017, the ransomware exploited a Windows vulnerability using the EternalBlue exploit, affecting over 200,000 computers across 150 countries. Major organisations, including the UK’s National Health Service (NHS), shipping company FedEx, and automaker Renault, suffered operational paralysis.
While WannaCry primarily spread via network vulnerabilities, reports suggest that some infections were accelerated through unmonitored USB devices. In environments where critical systems were isolated from the internet, infected USB drives inadvertently introduced the ransomware.
USB Hygiene Lesson: Limiting USB usage to authorised, scanned devices and enforcing encryption could have prevented the physical transfer of the malware into air-gapped or sensitive systems. Even basic removable media protocols would have slowed the spread considerably.
2. NotPetya (2017)
NotPetya, appearing just a few months after WannaCry, is another entry in the list of biggest ransomware attacks. Initially targeting Ukrainian organisations through compromised accounting software, it rapidly spread globally, hitting companies like Maersk, Merck, FedEx’s TNT Express, and Mondelez. The attack caused billions of dollars in losses and highlighted how ransomware could cascade through supply chains.
In some cases, infected USB drives were reported as secondary infection vectors, particularly in offices that relied on portable media to transfer documents and software updates.
USB Hygiene Lesson: Enforcing strict scanning procedures and controlling which USB devices could connect to corporate endpoints would have reduced NotPetya’s reach. Restricting the use of removable media in high-risk departments could have prevented secondary infections.
3. Ryuk (2018–2020)
Ryuk ransomware emerged in 2018 and became notorious for targeting hospitals, local governments, and critical infrastructure. Unlike indiscriminate ransomware like WannaCry, Ryuk was highly targeted, often deployed after initial infiltration via phishing campaigns or TrickBot infections. Its ransom demands were substantial, sometimes reaching millions of dollars.
While most Ryuk infections began digitally, hospitals and municipal offices frequently used removable media to transfer patient records, system backups, and other critical files. The biggest ransomware attacks like Ryuk demonstrate how physical devices can unwittingly facilitate malware propagation.
USB Hygiene Lesson: Strict device management, scanning USB drives before use, and educating staff on risks could have prevented Ryuk from hopping between systems, particularly in environments where endpoint security was unevenly applied.
4. SamSam (2015–2018)
SamSam ransomware was known for its methodical, hands-on approach to attacking public institutions and healthcare organisations. Unlike other ransomware strains, SamSam was often manually deployed after attackers gained administrative access. It caused major disruptions to hospitals, city governments, and educational institutions, with some incidents resulting in operational shutdowns for days.
Removable media played a subtle role in spreading SamSam in environments that relied on USB drives for backups or file transfer. In multiple cases, local contractors and administrative staff connected infected drives to critical systems, inadvertently propagating the ransomware.
USB Hygiene Lesson: A formal policy limiting USB usage, paired with mandatory scanning, would have reduced the likelihood of SamSam infections through physical media. Ensuring that only verified devices are connected to key systems is a critical step in preventing ransomware escalation.
5. WannaRen/Bad Rabbit (2017)
Bad Rabbit, sometimes called WannaRen, targeted media and transportation sectors in Eastern Europe, spreading primarily via fake Flash Player installers. While the malware was network-aware, reports indicated that USB drives contributed to its spread within certain corporate environments, especially where employees frequently shared external drives between systems.
As with other examples in the list of biggest ransomware attacks, the reliance on portable media accelerated the infection curve and increased operational downtime.
USB Hygiene Lesson: Limiting the use of USB drives for software updates, training staff to avoid connecting unknown devices, and enforcing encryption would have hindered Bad Rabbit’s ability to spread within organisations.
Common Themes Across the Biggest Ransomware Attacks
Reviewing these incidents reveals recurring factors that exacerbate ransomware risk:
- Removable media exposure: USB drives and other external storage often serve as secondary infection vectors, particularly in air-gapped or network-isolated systems.
- Lack of endpoint control: Without strict device management, malware can propagate from a single compromised USB device to multiple endpoints.
- Human factors: Employees, contractors, and partners sometimes unknowingly introduce ransomware via shared drives, portable backups, or external software.
- Supply chain vulnerability: Ransomware that begins in one organisation can spread to others when devices or files are moved without verification or scanning.
These lessons reinforce why USB hygiene is an essential part of modern ransomware prevention.
Practical USB Hygiene Tips to Prevent Ransomware
- Restrict USB Access: Only allow authorised devices on corporate systems, especially critical or sensitive endpoints.
- Mandatory Scanning: Implement automatic scanning of all removable media before allowing read/write access.
- Encryption: Require full-disk encryption for USB drives to prevent malware from hiding in unprotected files.
- Educate Staff: Train employees and contractors to recognise risky USB practices, such as plugging in unknown devices.
- Controlled Backups: Avoid transferring sensitive backups via USB; instead, use secure network or cloud storage with verified access.
- Logging and Monitoring: Track which devices are connected to endpoints and monitor for unusual file activity.
In Conclusion
The biggest ransomware attacks in history, from WannaCry and NotPetya to Ryuk, SamSam, and Bad Rabbit, have demonstrated how rapidly malware can disrupt operations, steal data, and inflict financial damage. While network-based attacks often dominate headlines, the role of USB and other removable media should not be overlooked.
Strict USB hygiene, combined with endpoint protection, employee training, and device control, can significantly mitigate ransomware risk. For organisations seeking to safeguard critical systems and maintain operational resilience, investing in these practices is essential.
By learning from past incidents and enforcing robust USB policies, you can prevent future ransomware attacks from reaching critical systems and causing costly disruptions.
