Alleged NSA leakers capitalize on ransomware scare based on their wares

Alleged NSA leakers capitalize on ransomware scare based on their wares
© Twitter

The group that released two vulnerabilities used in Tuesday's ransomware outbreak — one of which was also used in the similarly devastating WannaCry outbreak in May — is making an effort to capitalize on the notoriety.  

The ShadowBrokers, which claims to be releasing cyber weaponry stolen from the National Security Agency, announced pricing changes to a "wine of the month"-type leak program and a new "VIP" product in their attempts to monetize the hacking tools and apparent government documents in their possession. 

"Another global cyber attack is fitting end for first month of theshadowbrokers dump service. There is much theshadowbrokers can be saying about this but what is point and having not already being said? So to business! Time is still being left to make subscribe and getting June dump. Don’t be let company fall victim to next cyber attack, maybe losing big bonus or maybe price on stock options be going down after attack. June dump service is being great success for theshadowbrokers, many many subscribers, so in July theshadowbrokers is raising price," the ShadowBrokers wrote in an online message released early Wednesday. 

The ShadowBrokers have been active since summer 2016 and have over time leaked potent hacking tools that could bypass security measures in popular security hardware and Windows machines, as well as documents appearing to show the NSA hacked a Middle Eastern banking services company as a vector into its clients. 

A ShadowBrokers-leaked Windows vulnerability known as EternalBlue that took advantage of vulnerabilities in Windows file-sharing systems fueled both the WannaCry ransomware and a ransomware attack on Tuesday.

Tuesday's attack also used a second ShadowBrokers vulnerability, EternalRomance, that targets Windows XP systems as well as a hacked updating feature for Ukrainian accounting software. 

The Tuesday attack did most of its damage in Ukraine and Europe, but reports of infections have spread to India, throughout Asia and in the United States. Major victims include the U.S. law firm DLA Piper, the pharmaceutical giant Merck and the Russian oil firm Rosneft.

WannaCry infected hundreds of thousands of computers worldwide.

The ShadowBrokers launched its monthly subscription document leaks service this month at a price of $27,000 a month in digital currency. Their new release more than doubles the price to $61,000.  

The ShadowBrokers also announced a new premium service allowing customers to make requests for assistance or specific document releases.

"For months many peoples is messaging theshadowbrokers...Do you have X or Y vulnerability? Will you hack X or Y for me? Do you have intel on X or Y organization? Do you have intel on my organization? Have I been hacked? In past theshadowbrokers is not taking request or providing individual services. This changes with VIP Service," said the ShadowBrokers.  

"For one time payment of [$120,000] you getting theshadowbrokers VIP attention. VIP Service is no guarantee of future good or services, negotiation for those is being separate."

The ShadowBrokers also used their latest announcement to threaten a critic, calling out someone the group only identified as "the doctor" who posted critical tweets online. The ShadowBrokers claim the critic left enough digital breadcrumbs to embarrass them online. 

"TheShadowBrokers is thinking 'doctor' person is co-founder of new security company and is having much venture capital. TheShadowBrokers is hoping 'doctor' person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of 'doctor' persons hacks of China with real id and security company name," it said.