Ransomware Ripping Through Russia and Ukraine Uses Stolen NSA Code

This week a new breed of ransomware, which locks down computers until a victim pays a fee, ripped throughout Russia, Ukraine, and a selection of other countries. The ransomware, known as Bad Rabbit, had a trick up its sleeve: it utilized a previously leaked exploit from the U.S. National Security Agency, giving the malware more power to spread throughout networks.

The news highlights the continuing fallout from one of the NSA’s most significant data breaches, both for the agency itself, but, more importantly, the wider public across the world.

Specifically, Bad Rabbit deployed an exploit called EternalRomance, according to research from Talos, part of cybersecurity firm Cisco. Security company Group-IB also told The Daily Beast that Bad Rabbit used the NSA’s exploit. EternalRomance takes advantage of an issue in SMB, a protocol for transferring data between connected Windows computers, and allows a hacker to more effectively propagate from infected machine to other targets.

Craig Williams, senior technical leader at Talos, told The Daily Beast the malware uses EternalRomance as a backup vector—if something else fails, EternalRomance can make sure the job gets done.

This exploit is a sought-after piece of code; something that criminal hackers or government spies may try to keep to themselves, for fear of it being fixed or falling into their adversaries’ hands. In this case, EternalRomance’s original owner, the NSA, lost control of that precious tool.

In April, a elusive group of self-described hackers called The Shadow Brokers released EternalRomance along with a cache of other powerful exploits onto the public internet, for anyone to download for free after somehow stealing it from the NSA. At the time of writing, it is not entirely clear how The Shadow Brokers obtained these exploits, or whether the breach is connected to one of the other myriad breaches which have plagued the NSA in recent years.

Microsoft had quietly patched EternalRomance and other exploits a month earlier, but hackers across the world quickly worked the NSA’s tools into their own code—plenty of organizations and individuals fail to install fixes even when they are available. Perhaps most devastating was the WannaCry malware in May, which used several of caused massive disruption throughout UK hospitals. More recently, another piece of ransomware called NotPetya, which researchers believe is something of a cousin of Bad Rabbit, used EternalRomance and hit energy companies and other infrastructure in Ukraine and beyond, including businesses in the U.S.

Bad Rabbit’s victims include major media organizations in Russia, the Kiev metro, and the Odessa International Airport in Ukraine, Group-IB noted in a blog post. In another post, the cybersecurity firm says it is highly likely that the hackers behind Bad Rabbit were one and the same as the earlier NotPetya campaign. Some Ukrainian analysts believe NotPetya was the work of Russian government hackers in an effort to cause disruption rather than generate any sort of financial revenue.

To be clear, the use of an NSA exploit is not the only factor behind the spread of this malware. As multiple security researchers have noted, the malware is delivered to a victim’s computer when they visit a specific set of websites, and, as mentioned, the exploit was used more as a backup mechanism.

But hackers deploying EternalRomance does still pour salt on a months-long open wound with the NSA’s ability to keep sensitive information secure, including some of its most valuable code and tools.