Like many of the other exploits included in the leak, ETERNALBLUE targets vulnerabilities in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.). It is specifically addressed by critical Microsoft update MS17-010.
Researchers have already been able to successfully execute the exploit, as demonstrated below:
Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day ;-) pic.twitter.com/I9aUF530fU
AES ransomware (also known as AES256 ransomware) has been active since December 2016. It was only recently rebranded to AES-NI ransomware.
The AES-NI variant drops a ransom note file titled !!!.READ THIS - IMPORTANT !!!.txt, which refers to the ransomware as a "Special Version: NSA Exploit Edition" and explains that if you are reading it your server was attacked with NSA exploits.
Files are encrypted with a combination of AES-256 and RSA-2048 encryption, and renamed with the ".aes_ni" extension. Unfortunately, at this time no decryption tools are available for files encrypted by AES-NI.
The ransom demand has been reported to be 1.5 Bitcoin (~$1,960), though for any victims from former Soviet states the ransomware developer will apparently decrypt files for free.
Victims are encouraged to email the criminals for further instructions. If they don't get a response they're urged not to panic, but to try contacting them via Bitmessage or even by creating a topic on the Bleeping Computer forum, which the criminals are apparently monitoring.
Full ransom note text below:
SPECIAL VERSION: NSA EXPLOIT EDITION
INTRO: If you are reading it, your server was attacked with NSA exploits.Make World Safe Again.
SORRY! Your files are encrypted. File contents are encrypted with random key (AES-256 bit; ECB mode). Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: firstname.lastname@example.org@email@example.com Also there is one fast way to contact us. If you are familiar with Jabber, write us to JID: firstname.lastname@example.org (it is Jabber, not e-mail address!) You can the get Jabber account for example at https://www.xmpp.jp/signup IMPORTANT: In some cases malware researchers can block our e-mails. If you did not receive any answer on e-mail in 48 hours, please do not panic and write to BitMsg ( https://bitmsg.me ) address: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN or create topic on https://www.bleepingcomputer.com/ and we will find you there. Also the if you better download the Tor browser here: https://www.torproject.org/download/download-easy.html.en Download, install and run it; then visit our site (from the Tor browser): http://kzg2xa3nsydva3p2.onion/index.php Please do not visit this site from standard browser: it just will not open. You need Tor Browser to open .onion sites. There is a form, you can write us there if all e-mails are blocked and we will contact you very fastly. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. You MUST refer this ID in your message: PC # Also you MUST send all ".key.aes_ni" files from C: \ ProgramData if there are any.
Regardless of the attack vector, there was a significant spike in AES-NI ransomware infections in the days following the NSA exploits leak, with over 100 infections reported to the service ID Ransomware on Monday, April 17.
AES-NI ransomware activity from the past 30 days. / ID Ransomware
Infections have since slowed back down to a handful a day, perhaps indicating disruption in the ransomware's operations.
Even with AES-NI momentarily quiet, however, companies should take precautions to protect themselves from this and future ransomware strains that attempt to leverage the leaked NSA exploits.
How to protect your organization from AES-NI and ETERNALBLUE
Patch ASAPWhile patching isn't always easy to do or expedite in an enterprise environment, organizations should prioritize applying update MS17-010.
Deploy runtime malware defense to block AES-NI and other malware at runtimeWhile attacks that target SMB and RDP ports may bypass other security, they can still be stopped at runtime with security software that recognizes and blocks malicious system activity. Watch the video below to see how Barkly stops AES-NI ransomware before any harm is done: