The global epidemic of Wannacry ransomware infections was the result of petty criminals fusing an old ransomware strain with a leaked NSA cyberweapon that was released by The Shadow Brokers, and the result was tens of millions of dollars' worth of economic harm.
A new ransomware epidemic, dubbed "Bad Rabbit," is also spreading at an unprecedented rate thanks to its use of "Eternalromance," an open source Python version of the NSA's Eternalsynergy tool, which was also dumped by the Shadow Brokers.
Eternalromance/Eternalsynergy exploit a bug in Microsoft's SMB protocol. This bug was discovered or purchased by the NSA, who chose to withhold its existence from Microsoft, deliberately ensuring that the bug would remain intact on computers worldwide, so the NSA could attack them at will. This doctrine is called "NOBUS" — "No One But Us" — and it only works if no one ever independently rediscovers the NSA's bugs, and if the NSA never loses control of its exploits. Both have been known to happen.
Due to a number of similarities between Bad Rabbit and NotPetya—including the use of the commercial DiskCryptor code to encrypt the victim's hard drive and the presence of "wiper" code that could erase drives attached to the targeted system—Kaspersky Lab researchers have said that there are "clear ties" between the two malware attacks, and other researchers have reached similar conclusions. But there are two major differences: the use of a different exploit and the apparent targets of the attack. This time, the targets have apparently been primarily in Russia.
"There is a lot of speculation that Russia is the main target, which may be true, but does not rule out Russia as the attacker," said Dr. Andrea Little Limbago, chief social scientist at Endgame. "BadRabbit hit Russian media companies—and Putin has a history of cracking down on the media." And the attack also affected critical infrastructure companies in Ukraine. "It is too early to rule out any potential attacker," Limbago added, "and as always, motives and intent are extremely nuanced, and [we] must consider both domestic and international motivations."
Bad Rabbit used NSA "EternalRomance" exploit to spread, researchers say
[Sean Gallagher/Ars Technica]