The Bad Rabbit malware, which U.S. analysts say originated in Russia, allegedly used a leaked National Security Agency hacking tool.
Cisco researchers found that the malware used an NSA tool called EternalRomance that takes capitalizes on a vulnerability in Windows computers by bypassing security over Server Message Block file-sharing connections.
The vulnerability enables hackers to remotely execute instructions on Windows clients and servers.
EternalRomance was leaked this year by a group called The ShadowBrokers, who released the tools they said were from the NSA.
It is not, however, the same NSA tool made famous by earlier ransomware outbreaks NotPetya and WannaCry.
The ShadowBrokers released several packages of the EternalRomance tools, all of which they said had been stolen from the NSA.
The news comes after the U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, said its “received multiple reports” of ransomware infections called Bad Rabbit in many countries around the world, including Russia, Ukraine, and Germany.
A fake Adobe Flash update reportedly helped spread the malware. Once installed on one computer, the hackers could use other techniques to spread it to other computers on the same network.
The hack predominantly affected Russian users and even interrupted service in Ukrainian mass transit. However, the source of the attack is still unclear.
“There is a lot of speculation that Russia is the main target, which may be true, but does not rule out Russia as the attacker,” Dr. Andrea Little Limbago, chief social scientist at Endgame, said.