Hidden Dangers of Ryuk Ransomware - 2 History of NSA Based Cyber Weapons

     II. History of NSA Based Cyber Weapons

In the early 1990’s, I started one of the world’s first online stores in Bellevue Washington – one year before the start of Amazon. Since then, I have helped hundreds of business owners build secure business websites and overcome hacking attacks. This experience has made me acutely aware for the need to protect computer networks and websites from hackers.

About 10 years ago, I began researching a new wave of cyber weapons called Stuxnet and Flame that were causing severe harm to Windows computers. This new generation of cyber weapons, which we now know were created by the NSA beginning in 2007, were able to persist on Windows computers even after replacing the operating system and even after replacing the hard drive of the computer.

This research led to a book I published in September 2013 called Free Yourself from Microsoft and the NSA – based in part on the revelations of Edward Snowden about these NSA hacking tools – but based primarily on my own research regarding security vulnerabilities of the Windows operating system. You can download and read a free copy of this book at this website. https://freeyourselffrommicrosoftandthensa.org/

In that book, I predicted it was only a matter of time until hackers got copies of these NSA cyber weapons and used them to hack Windows computers all over the world. That day arrived on July 5, 2015 when a group called Hacking Team was exposed for selling NSA hacking tools to repressive governments around the world. Hacking Team itself was hacked and more than 400 GB of NSA based hacking tools was released over the Internet.


On August 13, 2016, a group called Shadow Brokers announced that they had hundreds of NSA hacking tools that they were selling on the Black Market to the highest bidder. On April 14, 2017, Shadow Brokers released almost all of these NSA hacking tools, including Eternal Blue, to the public.


The Shadow Brokers release was barely one month after another bombshell release of NSA cyber weapons by Wikileaks in a report called Vault 7 which was released to the public on March 7, 2017. The most shocking part of the Wikileaks report was an NSA tool called the Marble Framework which was a tool used to fool victims into thinking they had been attacked by Russian or Chinese hackers when in fact they had been hacked by NSA hackers.


On May 12, 2017, Wanna Cry Ransomware began attacking hundreds of thousands of Windows computer networks around the world causing about $6 billion in damage. Predictably, Wanna Cry used Eternal Blue and other NSA hacking tools to carry out its attack, spread rapidly from computer to computer and gain control over entire computer networks.

In June, 2017, a new version of NSA based ransomware called Not Petya began attacking computer networks. Not Petya caused more than $10 billion in damages. The attack spread in part using a remote controlled software update from an accounting program – indicating that the server issuing the update had been compromised. NotPetya used the same Eternal Blue and other NSA cyber weapons that had been used by Wanna Cry a month earlier. I wrote a 60 page report about these ransomware attacks and their relationship to NSA cyber weapons in April 2019. You can read this article online by going to the following link: https://learnlinuxandlibreoffice.org/news/the-fight-for-a-secure-linux-bios

You can also view a video presentation of this article at the following link: https://www.youtube.com/watch?v=mEPcRFvvekY

Both WannaCry and Not Petya Ransomware can best be thought of as early versions of Ryuk (aka Emotet - Trickbot – Ryuk & Xbot) and Mega Cortex (Ryuk with a Kill Switch) as all of these hacking tools use Eternal Blue and several other NSA cyber weapons.

The chief difference is that Ryuk and Mega Cortex also targets backup systems used to restore computers after they have been hacked. Both Ryuk and Mega Cortex also appear to have the ability to “persist” on infected networks even after the operating system and hard drive have been cleaned or replaced.

This makes it much more difficult to recover from these new attacks. We will therefore briefly outline the history of Emotet, Trick Bot, Ryuk & Xbot before reviewing how they work and the ongoing threat they pose to Windows computers.