A USB drop attack is a cyberattack in which an attacker deliberately leaves a malware-loaded USB drive in a location where someone is likely to find it and plug it into a computer.
The attack requires no phishing email, no network intrusion, and no technical knowledge on the part of the victim. It simply requires curiosity, and curiosity, as it turns out, is extremely reliable.
Once the device is connected, the malware executes. From that point, the attacker may have access to the victim’s machine, their files, and potentially the wider network that machine is connected to.
Why USB drop attacks work
USB drop attacks are a form of social engineering. They do not exploit software vulnerabilities. They exploit human behaviour.
Research consistently shows that people pick up and plug in unknown USB drives at a surprisingly high rate. A well-known study conducted by the University of Illinois found that nearly half of USB drives dropped in public locations were plugged in by whoever found them, with many connecting within minutes of being discovered.
The psychology is straightforward. When someone finds a USB drive, they want to know who it belongs to, what is on it, or both. That instinct to investigate overrides security awareness training in many cases, particularly when the drive appears harmless or is labelled with something compelling.
Attackers exploit this in several ways. A drive left in a car park near a government building might be labelled “Redundancy List 2025.” One left in a hospital corridor might say “Patient Records.” One sent through the post might arrive in branded packaging with a letter encouraging the recipient to plug it in to claim a reward, which is exactly the method used by the FIN7 cybercrime group in attacks on defence contractors and transport companies documented in FBI warnings issued in 2020 and 2022.
The disguise does not need to be sophisticated. It just needs to be plausible enough to create curiosity.
Types of USB drop attack
Not all USB drop attacks work in the same way. The payload and method vary depending on what the attacker is trying to achieve.
| Attack type | How it works | Primary goal |
| Social engineering and baiting | Drive contains files with enticing names that link to phishing sites when opened | Credential theft |
| Malicious code execution | Files on the drive execute malware automatically on connection or when opened | Ransomware, spyware, data theft |
| HID spoofing | Drive impersonates a keyboard and injects keystrokes the moment it is connected | Remote access, command execution |
| Destructive attack | Drive delivers an electrical surge through the USB port | Physical damage to hardware |
| Data exfiltration tool | Drive silently copies files from the host machine | Intellectual property theft, espionage |
Social engineering and baiting
The simplest form. The drive contains files with names designed to provoke a click: salary information, confidential reports, or sensitive-sounding documents. Clicking opens a link to a phishing site where the victim is prompted to enter credentials or download further malware.
Malicious code execution
Files on the drive trigger malware installation when opened, or in some cases automatically when the drive is connected through autorun functionality. The payload can be anything from ransomware to spyware to a remote access tool that gives the attacker persistent access to the machine.
HID spoofing
The most technically advanced form. The drive is programmed to identify itself to the host computer as a keyboard rather than a storage device. Once connected, it injects pre-programmed keystrokes automatically, opening terminals, downloading malware, or establishing remote access in seconds.
This technique sits at the intersection of the USB drop attack and the BadUSB attack, where firmware reprogramming is used to make a USB device behave as a completely different device type. Both exploit the same fundamental trust that operating systems place in connected hardware.
Destructive attacks
A small category of USB devices are designed not to deliver malware but to physically destroy the host system by delivering a high-voltage electrical surge through the USB port. These are typically used by malicious insiders or in targeted sabotage scenarios rather than opportunistic attacks.
Real-world examples
USB drop attacks are not theoretical. They have been used in some of the most significant cyber incidents on record.
The Stuxnet worm, which caused physical damage to centrifuges at Iran’s Natanz nuclear facility, was introduced via an infected USB drive. The facility operated on an air-gapped network, meaning the USB drive was the only viable entry point available to the attacker. It remains the most studied example of what happens when a drop attack reaches a high-security isolated environment.
The FIN7 group incidents referenced above followed the same physical delivery logic, scaled to a criminal operation targeting dozens of organisations across multiple sectors. The packages were convincing enough that recipients plugged the devices in without question.
Who is most at risk
Any organisation where employees or visitors handle USB devices carries some level of exposure. But the risk is significantly higher in certain environments.
| Environment | Why USB drop attacks are particularly dangerous |
| Defence and government | High-value targets, classified networks, frequent contractor access |
| Industrial and OT | Air-gapped systems where USB is the primary data entry method |
| Healthcare | Legacy medical devices, high device volume, non-technical staff |
| Maritime | Remote locations, contractor-heavy operations, offline environments |
| Corporate offices | High-footfall areas such as reception, car parks, and canteens |
Environments running industrial control systems face a particular combination of factors. The networks are often air-gapped, which makes USB the primary data transfer method. The systems frequently run legacy operating systems that cannot run modern endpoint security. And sites receive regular visits from contractors and maintenance engineers carrying devices that have been used across multiple locations.
In government and defence settings the stakes are higher still. A successful drop attack against a classified environment does not just mean a ransomware infection. It can mean a breach of sensitive information, compromised operational security, or a persistent threat actor presence inside a protected network.
Maritime environments carry similar risks at sea, where crew have limited cybersecurity training, contractors board at every port, and the vessel may operate for extended periods without any IT support available.
Why training alone is not enough
Staff awareness is an essential part of any defence against USB drop attacks. Employees should understand the risk, know not to connect unknown devices, and have a clear process for reporting suspicious hardware.
But training does not eliminate the risk. It reduces it.
People make mistakes under pressure. New starters may not yet have completed security training. Visitors and contractors may not be subject to the same awareness programme as permanent staff. A drive left in a convincing location with a compelling label will catch someone out eventually.
A removable media security policy defines the rules, but policy alone does not stop a curious employee from plugging in a drive they found in the car park. The organisations that manage this risk effectively do not rely on human judgement as the last line of defence. They put a technical control in place that works regardless of what the person does.
How to protect against USB drop attacks
Staff awareness and policy
Employees should know that finding a USB drive does not mean connecting it. Any unknown device found on or near company premises should be handed to the IT or security team for inspection rather than connected to any machine.
Disabling autorun across all systems removes the ability of a dropped device to execute its payload automatically on connection. It should be treated as a baseline configuration requirement, not a complete solution in itself.
Hardware-based scanning at the point of entry
For environments where USB devices are in regular use, the most effective technical control is a dedicated hardware scanning station. Every device that enters the environment passes through the scanner before it reaches any operational system, regardless of who brought it or where it came from.
This is the principle behind the sheep dip station approach long used in defence environments: treat every device as untrusted until it has been inspected in isolation. The scanning station operates in a completely isolated hardware environment, so the host system is never exposed during the process. If a threat is detected it is quarantined before it can execute.
Tyrex K-REX stations run five antivirus engines and two anti-malware engines simultaneously, produce a scan log for audit purposes, and operate fully offline, making them suitable for the air-gapped and remote environments where USB-borne threats are most dangerous. Even if someone connects a device they should not have, the scanner catches it before it reaches the network.
Frequently asked questions
What is the difference between a USB drop attack and a BadUSB attack?
A USB drop attack describes how a malicious device reaches its target, by being left somewhere the victim will find it. A BadUSB attack describes how the device works once connected, typically by impersonating a keyboard and injecting keystrokes. The two frequently overlap: many USB drop attacks use BadUSB techniques as the payload delivery mechanism.
Can antivirus software stop a USB drop attack?
Partially. Antivirus software can detect known malware payloads stored as files on the drive. It cannot detect HID spoofing or firmware-level attacks because those do not present as scannable files. Hardware-based scanning stations are more effective because they inspect the device in isolation before the host system is ever exposed.
Is USB autorun still a risk?
Yes, though less so than in previous years. Modern operating systems no longer enable autorun by default for most device types, but it can be re-enabled through configuration changes and legacy systems may still have it active. Disabling autorun should be treated as a baseline control rather than a complete defence.
How do organisations manage the risk from contractor USB devices?
Requiring all external devices to pass through a dedicated scanning station before connection to any organisational system is the most effective approach. It removes the reliance on the contractor having followed good security practices themselves and creates an auditable record of every device that has entered the environment.
Are USB drop attacks still common?
Yes. Despite growing security awareness, USB drop attacks remain an active and documented threat. The FBI’s 2022 warning about FIN7 targeting defence contractors with mailed USB devices demonstrated that well-resourced threat actors continue to use this method because it works. The human element makes it resistant to purely technical defences, which is why the scanning station approach matters: it closes the gap even when awareness training does not.
The bottom line
USB drop attacks work because they bypass technical controls entirely and go straight to the human layer. No firewall, network monitor, or email filter stands between a found USB drive and the machine it gets plugged into.
The organisations most resilient to this threat combine clear staff awareness with a hardware-enforced scanning process that treats every USB device as untrusted until it has been inspected. Training reduces the likelihood of someone connecting an unknown drive. The scanner ensures that even if they do, the network is protected.
Protect your network at the point of entry
Find out how Tyrex USB scanning stations stop drop attacks and other removable media threats before they reach your systems. Request a Demo
