Leaked NSA tools were once again used in a global ransomware attack

A tool leaked by The Shadow Brokers was found to be used in the 'BadRabbit' attack.
National Security Agency
(Creative Time Reports / Flickr)

Another global ransomware outbreak was powered with a leaked, fully operational NSA hacking tool that had been released by The Shadow Brokers, according to researchers with cybersecurity firms Cisco Talos, IB Group and Symantec.

The latest international ransomware incident occurred on Tuesday and primarily affected computers in Ukraine and Russia. Analysts studying malware samples connected to this event, dubbed “BadRabbit,” found Thursday that the carefully prepared attack contained an exploit known as “EternalRomance.”

Some researchers say the BadRabbit operation had been planned for months, dating back perhaps to as far as Feb. 2017, according to FireEye, or July 2017, based on digital evidence found by Kaspersky Lab.


EternalRomance is effective against older Microsoft operating systems, including Windows XP and Server 2003. It is used to remotely install a malicious payload onto a computer. The tool is just one component of a larger hacking framework, which in the BadRabbit case included techniques unassociated with any intelligence agency.

The findings are significant because they show, once again, the lasting impact and negative consequences of when government-sponsored cyber weapons land in the wrong hands. Even though EternalRomance is more than 4 years old and can only affected outdated systems, the exploit continues to be effective against a large number of computers and organizations.

BadRabbit is the third consecutive ransomware outbreak believed to have been launched with NSA tools attached. The first two, respectively known as WannaCry and NotPetya, affected far more computers in a greater number of nations. Researchers say WannaCry was the work of North Korean hackers while NotPetya is connect to a group known as “Telebot,” according to Czech cybersecurity firm ESET, which is associated with Russia.

Preliminary analysis suggests there may be some connection between BadRabbit and this Telebots group, according to ESET, IB Group and Kaspersky Lab.


CyberScoop previously confirmed, citing former U.S. intelligence officials, that the exploits shared by the group were in fact used by the NSA in the past. The counterintelligence investigation into The Shadow Brokers is ongoing.

Latest Podcasts