Criminals used leaked NSA cyberweapon in crippling ransomware attack, experts say

The attackers exploited a software bug that was also used by U.S. spies, and patched by Microsoft in March.

The attackers exploited a software bug that was also used by U.S. spies, and patched by Microsoft in March

The supposed NSA code exploited a software vulnerability found in multiple versions of Microsoft's Windows operating system, and was known by the codename EternalBlue. (The Associated Press)

A leaked cyberweapon believed to have been created by NSA spies was used by criminals on Friday to launch a crippling ransomware attack on hospitals and telecom companies across Europe, security experts say.

The attack — which holds access to infected computers ransom in exchange for payment — wreaked havoc on patient care in at least 16 organizations within the U.K.'s state-run National Health Service and is believed to have spread to computers in more than 99 countries by Saturday morning, according to security company Avast.

Researchers spent much of Friday examining the software used in the attack, and believe it relies on re-purposed code that is said to have originally been written by the NSA.

The supposed NSA code exploited a software vulnerability found in multiple versions of Microsoft's Windows operating system, but was patched in March just weeks before a group of hackers known as the Shadow Brokers leaked a trove of information publicly detailing what they claimed were the U.S. spy agency's secret tools and techniques.

'Weapons-grade exploits'

"These were weapons-grade exploits [and] very trivial to use," said Matthew Hickey, a cybersecurity research and co-founder of the company Hacker House, who previously analyzed the code leaked by the Shadow Brokers. "So what we're seeing is this very run-of-the-mill malware that's being adopting these exploits, adopting these kind of weaponized attacks and using them to spread across networks and demand ransom."

Spain's national computer security incident response team was one of the first organizations to publicly attribute the ransomware's spread to the leaked exploit — known by the NSA code name EternalBlue and Microsoft patch number MS17-010 — while malware researchers reported similar findings on Twitter.

Costin Raiu, director of global research and analysis at the computer security company Kaspersky, said that his firm had detected more than 45,000 recorded instances of the attack in 74 countries by early Friday afternoon.

"I'm actually genuinely quite surprised that it's taken close to six or seven weeks for the first large-scale incident like this to happen," said Hickey, who is alarmed — but unsurprised — that people aren't patching as quickly as they should.

A global patching problem

While many ransomware infections require a victim to open an email attachment or click a link, Friday's attack is notable for its worm-like ability to spread — in other words, its ability to copy itself between vulnerable machines without user intervention.

The ransomware's rapid spread suggests that many organizations have been slow to update their systems to newer versions of Microsoft's Windows operating system that address the bug, which likely aided the worm's movement.

"I just can't stress it enough: we have a global patch management problem," said Katie Moussouris, CEO and founder of the cybersecurity company Luta Security. "And it's been manifesting for the better part of the last 20 years."

Software makers have long struggled to convince users of the importance of keeping their software up to date — especially in the face of bugs deemed as critical as the one that was patched in March.

Some organizations, such as hospitals or factories, might delay patching for fear of disrupting critical systems. Others might lack the technical knowledge or resources to patch quickly, if at all. Software companies have more recently tried to address the problem by downloading and installing some updates automatically — but Moussouris believes there is still more work that needs to be done.

Re-using NSA code

In this case, it's not so much the NSA spy software that criminals are exploiting, but rather the software vulnerabilities spies use to deliver their tools undetected onto targets' machines, re-purposed to deliver ransomware instead.

And while it may sound surprising to see tools otherwise used for government espionage re-purposed for what amounts to a global electronic extortion campaign, Moussouris said it's long been the practice of criminals to adapt everything from academic research to leaked code for use in their attacks.

"While there's nothing particularly special about this pattern … for sure, if there are future leaks you can expect the same patterns to be followed," Moussouris said, stressing the importance of applying patches as soon as possible once software updates are made available.

What having NSA tools in the wild doesn't mean is that "we're all going to be spied on by everyone," she said.

"It's not how that works. If you were not a target in the first place, guess what? You're still not a target."


Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.