Preloaded Trojan virus in the portable WinSCP

Hello, I was using the portable WinSCP for remote data transfer. However, we were attacked by ransomware twice. Both times were from the same hacker. The IT department determined that the portable WinSCP that we were using had preloaded the MedusaLocker ransomware as a trojan virus. I think it is important to bring this to the forum, so people could check this, and WinSCP developers can check this.

Thanks for your report. Though I'm sure the infection does not come from us.
Our downloads are under constant antivirus monitoring:
https://www.virustotal.com/gui/file/269a1020bfa8b958697e7b3aeec673fc68bdfe68c660cfa51f9f2d678004ebd5

Thanks for the reply. In this case, the unit was a Windows machine I rented from a company. They mentioned that they have other units installed WinSCP, but were not affected. Their IT conducted analysis, and told me that the ransomware was part of the executables in the portable package I downloaded from here. In both cases, the attack occurred around the 20th day of data transfer (with about 30 TB of data already being transferred to remote server). So it is also a bit puzzling to me if the ransomware was pre-loaded when I downloaded the portable package, why isn’t the attack happen right way? I wonder if they were waiting to see a significant amount of traffic from this unit before activating the attack?

Are you aware of other cases of ransomware attack while using WinSCP? If their IT shares the report with me, I will check for more information. I wonder if this ransomware could go undetected by the antivirus software.

I did a bit more google search, and found that it is possible for hackers to wait several months before attacking the system after gaining access to the network：https://www.wingswept.com/hackers-wait-months-after-network-access-to-trigger-ransomware/，so it makes sense that both time the attack occurred around similar times after data transfer started. I also googled the MedusaLocker ransomware, and looks like this virus first appeared in September 2019, I wonder if it was able to bypass antivirus detection. It might be important to check the portable WinSCP version.

We never had any reports of ransomware connected with WinSCP. We actually didn't have any kind of infection ever in our downloads since WinSCP was introduced over 20 years ago.

I'm sure that the ransomware does not come from our downloads. Your copy of WinSCP must have been infected on your machines.