Cryptocurrency Botnet Used Leaked NSA Exploits Before WannaCry Ransomware Attack

The largest ransomware attack in history spread to computers in 150 countries during the weekend, all thanks to two leaked National Security Agency hacking tools. A group of hackers called the Shadow Brokers have been leaking NSA codes, tools and documents since last summer, the Hill reported. These leaks included an old Microsoft vulnerability called EternalBlue, which was developed by the NSA Business Insider reported. The recent ransomware virus, WannaCry, used an NSA-developed plugin called DoublePulsar to inject malicious software through the EternalBlue window without needing authentication like passwords.

Experts said they don’t think the Shadow Brokers conducted the ransomware attack themselves. The NSA exploits were spread throughout hacking communities for weeks before the global WannaCry ransomware attack, which crippled the United Kingdom’s health care system. Plus, long before WannaCry, the same NSA vulnerabilities were used in a large scale botnet hack for mining cryptocurrency.

Read: WannaCry Ransomware Attack: Hackers Raised $50,000 In Bitcoins, Now What?

Cryptocurrencies like bitcoin create new tokens by allowing users to “mine” the decentralized system. Mining sucks up a lot of the computer’s resources but rewards each user with tokens in exchange for their power. The leaked NSA tools were used in a recent cryptocurrency attack, called Adylkuzz, which used an army of hacked computers, a botnet, to mine cryptocurrency and redirect reward points to the attackers’ accounts. These unidentified hackers were after a cryptocurrency called Monero.

The cybersecurity company Proofpoint said in a blog post Adylkuzz might have started infecting target computers in April, weeks before the WannaCry attack. “Initial statistics suggest this attack may be larger in scale than WannaCry,” Proofpoint’s blog said. “In this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but with enhanced anonymity capabilities, Monero recently saw a surge in activity after it was adopted by the AlphaBay darknet market.”

So far, it looks like the cryptocurrency attack was pretty profitable.

“One of several Monero addresses associated with income from Adylkuzz mining generated $22K, another $7K and a third $14K before mining ceased,” The Register reported. “Indications are that the crooks behind Adylkuzz have generated a lot more money than the WannaCrypt ransomware fiends.”

Read: WannaCrypt Ransomware Windows Patch: Microsoft Tells Government To Stop Hoarding Security Vulnerabilities

In total, the cryptocurrency attack earned hackers around $20,000 less than the ransomware attack, which reportedly yielded bitcoin ransoms worth $60,000. But many computer systems around the world are still vulnerable to both viruses if people haven’t updated their software with the protective patch that debuted in May. The hackers behind both attacks, Adylkuzz and WannaCry, still remain at large.

In the meantime, Microsoft blamed the NSA for these international cyberattacks. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Brad Smith, Microsoft's president and chief legal officer, said in a statement Sunday.