Today Democratic Congressman Ted Lieu of California wrote to the NSA in an appeal for the agency to do anything in its power to stop the spread of the global ransomware (or potentially just disguised as ransomware) attack that began yesterday.
Lieu seeks to hold the NSA accountable for its leaked exploit, known as EternalBlue, which appears to have facilitated the malware’s spread. Last month, the ransomware known as WannaCry also leveraged EternalBlue in order to spread between networked machines that have not been updated to protect them from the vulnerability, which Microsoft issued a patch for back in March (MS17-010).
“Based on various reports, it appears these two global ransomware attacks likely occurred because the NSA’s hacking tools were released to the public by an organization called the ShadowBrokers,” Lieu wrote.
“My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help stop the attack, then NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.”
Lieu went on to implore the spy agency to communicate more openly with major tech companies about the vulnerabilities that it discovers in their systems. In the case of EternalBlue, the NSA is believed to have known about the exploit for years. Naturally that makes one wonder what other massive exploits the agency has up its sleeve and how easily those could be exposed in a new Shadow Brokers leak.
“Given the ongoing threat, I urge NSA to continue actively working with companies like Microsoft to notify them of software vulnerabilities of which the Agency is aware,” Lieu said. “I also urge the NSA to disclose to Microsoft and other entities what it knows that can help prevent future attacks based on malware created by the NSA.”
Some things about yesterday’s ransomware attack make it even nastier than its predecessor WannaCry. As IEEE Senior Member and Ulster University Cybersecurity Professor Kevin Curran explained to TechCrunch: “One key difference from WannaCry is that Petya does not simply encrypt disk files but rather locks the entire disk so nothing can be executed. It does it by encrypting the filesystem’s master file table so the operating system cannot retrieve files.”
The other big difference: WannaCry had a kill switch, even if it was serendipitous.
“It does seem to have the same deadly replication feature of WannaCry which enables it to spread quickly across an internal network infecting other machines,” Curran said. “It seems to also be finding passwords on each infected computer and using those to spread as well. There seems to be no kill switch on this occasion.”
We reached out to the NSA with questions about its ability to stop the spread of the current ransomware and its perceived responsibility moving forward. You can read Lieu’s full letter, embedded below.