May 12, is the one-year anniversary of the WannaCry ransomware outbreak.
Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET.
Named EternalBlue, the exploit was supposedly developed by the cyber division of the US National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017.
Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.
EternalBlue wasn’t that widespread in the beginning
What happened next is well documented, with EternalBlue being used to create a self-spreading mechanism for the WannaCry ransomware, and later for subsequent ransomware outbreaks like NotPetya and Bad Rabbit.
The impact of EternalBlue was devastating, with companies reporting total damages of over $8 billion across 150 countries just from the WannaCry incident alone, according to IBM X-Force.
But the initial version of EternalBlue wasn’t perfect. It only worked on Windows 7 and Windows Server 2008 and crashed on Windows XP.
EternalBlue did a lot of damage during WannaCry, but there were very few malware authors that knew how to use it. This is why, according to ESET, that shortly after WannaCry, EternalBlue usage declined tremendously.
“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign,” ESET’s Ondrej Kubovič explains. “Over the following months, attempts to use the EternalBlue exploit dropped to ‘only’ hundreds of detections daily.”
But things changed during the post-WannaCry and post-NotPetya incidents. For starters, security researchers ported EternalBlue to more platforms, such as Windows 8 and Server 2012, and later even Windows 10.
This broadened the exploit’s ability to infect more victims than usual and made it a commodity among malware authors.
In the following months, EternalBlue spread from mundane crypto-mining operations to the arsenal of state-level cyber-espionage groups.
Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don’t know that it’s still one of today’s biggest threats.