Geopolitics

Leaked NSA tools were once again used in a global ransomware attack

A tool leaked by The Shadow Brokers was found to be used in the 'BadRabbit' attack.

October 27, 2017

(Creative Time Reports / Flickr)

Another global ransomware outbreak was powered with a leaked, fully operational NSA hacking tool that had been released by The Shadow Brokers, according to researchers with cybersecurity firms Cisco Talos, IB Group and Symantec.

The latest international ransomware incident occurred on Tuesday and primarily affected computers in Ukraine and Russia. Analysts studying malware samples connected to this event, dubbed “BadRabbit,” found Thursday that the carefully prepared attack contained an exploit known as “EternalRomance.”

Update: Talos has identified an eternal romance component and more! https://t.co/H4BAi4wRhE

— Craig (@security_craig) October 26, 2017

Some researchers say the BadRabbit operation had been planned for months, dating back perhaps to as far as Feb. 2017, according to FireEye, or July 2017, based on digital evidence found by Kaspersky Lab.

It appears the attackers behind #Badrabbit have been busy setting up their infection network on hacked sites since at least July 2017. pic.twitter.com/fV5U1FeVtR

— Costin Raiu (@craiu) October 24, 2017

EternalRomance is effective against older Microsoft operating systems, including Windows XP and Server 2003. It is used to remotely install a malicious payload onto a computer. The tool is just one component of a larger hacking framework, which in the BadRabbit case included techniques unassociated with any intelligence agency.

The findings are significant because they show, once again, the lasting impact and negative consequences of when government-sponsored cyber weapons land in the wrong hands. Even though EternalRomance is more than 4 years old and can only affected outdated systems, the exploit continues to be effective against a large number of computers and organizations.

BadRabbit is the third consecutive ransomware outbreak believed to have been launched with NSA tools attached. The first two, respectively known as WannaCry and NotPetya, affected far more computers in a greater number of nations. Researchers say WannaCry was the work of North Korean hackers while NotPetya is connect to a group known as “Telebot,” according to Czech cybersecurity firm ESET, which is associated with Russia.

Preliminary analysis suggests there may be some connection between BadRabbit and this Telebots group, according to ESET, IB Group and Kaspersky Lab.

CyberScoop previously confirmed, citing former U.S. intelligence officials, that the exploits shared by the group were in fact used by the NSA in the past. The counterintelligence investigation into The Shadow Brokers is ongoing.

Leaked NSA tools were once again used in a global ransomware attack

More Like This

Campaigns and political parties are in the crosshairs of election meddlers

CISA ransomware warning program set to fully launch by end of 2024

Stolen Change Healthcare data could contain information on ‘a substantial portion’ of Americans

Top Stories

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

More Scoops

Another well-known hacking group using leaked NSA hacking tools

Japanese businesses are the latest victims of attacks disguised as ransomware

Global ransomware attacks tiptoed around Russian anti-virus products

NotPetya ransomware cost Merck more than $310 million

Early evidence suggests ties between Russian hackers and ‘BadRabbit’ attack

‘BadRabbit’ ransomware spreading across Ukraine, Russia

Global ransomware outbreak spread in part due to NSA-linked hacking tool

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics