Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Preloaded Trojan virus in the portable WinSCP

We never had any reports of ransomware connected with WinSCP. We actually didn't have any kind of infection ever in our downloads since WinSCP was introduced over 20 years ago.

I'm sure that the ransomware does not come from our downloads. Your copy of WinSCP must have been infected on your machines.
Sherrychen

I did a bit more google search, and found that it is possible for hackers to wait several months before attacking the system after gaining access to the network:https://www.wingswept.com/hackers-wait-months-after-network-access-to-trigger-ransomware/,so it makes sense that both time the attack occurred around similar times after data transfer started. I also googled the MedusaLocker ransomware, and looks like this virus first appeared in September 2019, I wonder if it was able to bypass antivirus detection. It might be important to check the portable WinSCP version.
Sherrychen

Re: Preloaded Trojan virus in the portable WinSCP

Thanks for the reply. In this case, the unit was a Windows machine I rented from a company. They mentioned that they have other units installed WinSCP, but were not affected. Their IT conducted analysis, and told me that the ransomware was part of the executables in the portable package I downloaded from here. In both cases, the attack occurred around the 20th day of data transfer (with about 30 TB of data already being transferred to remote server). So it is also a bit puzzling to me if the ransomware was pre-loaded when I downloaded the portable package, why isn’t the attack happen right way? I wonder if they were waiting to see a significant amount of traffic from this unit before activating the attack?

Are you aware of other cases of ransomware attack while using WinSCP? If their IT shares the report with me, I will check for more information. I wonder if this ransomware could go undetected by the antivirus software.
Sherrychen

Preloaded Trojan virus in the portable WinSCP

Hello, I was using the portable WinSCP for remote data transfer. However, we were attacked by ransomware twice. Both times were from the same hacker. The IT department determined that the portable WinSCP that we were using had preloaded the MedusaLocker ransomware as a trojan virus. I think it is important to bring this to the forum, so people could check this, and WinSCP developers can check this.