NSA Denies Leaked Hacker Tool Was Used to Create Bitcoin Ransomware

Popular Article
DAOs EcoSapiens
ReFi landscape
DAOs EcoSapiens

Regenerative Finance 101: A Guide to Crypto’s ReFi Movement

The U.S. National Security Agency (NSA) has denied that any of its hacking tools were used by cybercriminals to propagate an attack on Baltimore’s government systems.  

The attack has crippled city services for several weeks now as officials mull over the next move. According to a statement released by Representative C.A. Dutch Ruppersberger, NSA officials who spoke to him have denied that any tools developed by the agency were used to hijack or disrupt vital government computer systems.

Going by Mayor Bernard Young’s statement, the city is not looking to pay the ransom demanded by the perpetrators which is 3 bitcoins per infected system. Government officials concede that it could be months before all platforms are restored

Although a vast majority of systems in the city were shut down in the wake of the malware attack, critical ones such as 911 and 311 networks were unaffected and are still on.  The Wall Street Journal reports that approximately 10,000 government computers were infected and many are still locked down.

At the moment, there are delays in processing home sales because affected systems cannot be used to reveal details about property sellers such as unpaid liens. Such information is required to be released to insurers but is currently inaccessible. Water billing systems have also been affected and so customers won’t be receiving bills for some time. The delay is likely to cause a spike in charges when the situation is resolved.

The following is an excerpt of the official statement from the mayor  providing an overview of the current situation.

“I am not able to provide you with an exact timeline on when all systems will be restored.  Like any large enterprise, we have thousands of systems and applications.

Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process.   You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process.”

Google Disabled Baltimore Gmail Accounts

In the aftermath of the attack, government staff workers in Baltimore apparently tried to set up temporary Gmail accounts as a workaround following the deactivation of infected systems and according to the Baltimore Sun, many of them were disabled.

It was initially unclear why this happened but Brooks Hocog, a Google spokesperson, elaborated that the mass creation of Gmail accounts in a localized geographical area triggered the company’s security system which disabled a vast majority of them. Many were reportedly restored a short while after the released statement.

How The Infection Occurred

Hackers were able to infect thousands of computer systems within a very short period of time by allegedly utilizing EternalBlue, a leaked NSA hacking tool. On May 7, the city’s government workers woke up to find critical file systems encrypted by ransomware.

The cybercriminals were demanding payment in bitcoin. Although the systems were immediately taken offline and the FBI called to investigate, the city administration’s voicemail system and parking fines database among others had been encrypted. Cyber Security firm, Armor, shared a redacted image of the note left by the hackers demanding a ransom.

It warned that it would increase to $10,000 per day after four days, adding that no further negotiations are going to take place.

The cybercriminals are believed to have gained access to government servers through a vulnerable computer system. They were then able to create a backdoor that enabled the infected machine to infect others connected to its network.

Cybersecurity contractors working on the project allegedly discovered another tool called a web shell that could have been used in tandem with EternalBlue to “pass-the-hash” across network computers. This is believed to have enabled the malware to spread further by utilizing copied credentials to bypass network protocols.

[thrive_leads id=’5219′]

EternalBlue Widely Used by Crypto Hackers

The EternalBlue exploit was developed by the NSA but leaked online by the Shadow Brokers in 2017. The original code has since then been modified by numerous malicious actors to penetrate computer systems and install malware, cryptocurrency miners and ransomware.

It was notably used to carry out the infamous WannaCry ransomware attack that infected PCs worldwide in 2017 just a few months after the leak. It worked by encrypting files on personal computers and then demanding ransom to be paid in crypto. Over 150,000 computers were infected in more than 100 countries.

Microsoft was quick to release a patch designed to thwart the attack but there are still millions of computers out there that are vulnerable due to the widespread use of counterfeit Windows software, a failure to install the patch or the latest Microsoft security updates. Investigators believe that a failure to install security updates against the exploit is what caused the Baltimore attack to be so successful.  

EternalBlue Preferred By Crypto Mining Hacker Groups

EternalBlue came into the limelight again in January after researchers uncovered its use in a sophisticated cryptojacking campaign that particularly targeted computers and servers in China.

The Qihoo 360 security team is credited for being the first to discover the infection. The campaign apparently relied on EternalBlue along with some formidable PowerShell scripts to download malware payloads on infected machines and mine cryptocurrencies such as Monero.

More recently, Symantec uncovered a major cryptojacking campaign involving the EternalBlue exploit that particularly targeted enterprises in China. It relied on a file-based crypto miner. Initial infection of machines was apparently carried out via phishing emails.

The recent rise of the cryptocurrency market is believed to be fuelling a resurgence of cryptojacking malware attacks. Symantec reports that cryptojacking infections fell by about 50 percent in 2018 after the crypto market went into a bearish mode.

The report underscores that although ransomware attacks have been on the decline and now down by about 20 percent, campaigns targeting enterprises have increased by about 12 percent.

(Featured Image Credit: Pixabay)

Legal Disclaimer

CoinCentral’s owners, writers, and/or guest post authors may or may not have a vested interest in any of the above projects and businesses. None of the content on CoinCentral is investment advice nor is it a replacement for advice from a certified financial planner.