We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies and your choices here. By continuing to use this site, you accept these cookies.

Hackers behind stolen NSA tool for WannaCry: More leaks coming

The Shadow Brokers group unleashed an exploit that fueled a global ransomware attack. Now they say they've got more where that came from.

The Shadow Brokers have resurfaced for the first time since August.
MCT Graphics via Getty Images

The WannaCry ransomware never could have escalated as far as it did without the Shadow Brokers. And the hacker group has just resurfaced.

The malware has ensnared up to 300,000 computers in more than 150 countries, locking up devices in hospitals, schools and businesses unless they pay up. It's been able to spread quickly by sneaking through an infected computer's network, using an exploit in a standard sharing tool called Server Message Block found in outdated Windows computers.

The exploit, codenamed EternalBlue, was first discovered by the NSA, but leaked to the world after the Shadow Brokers stole the agency's hacking arsenal. The group, quiet since August, returned Tuesday with a warning for the National Security Agency and the rest of the world: There are going to be more leaked tools.

"In June, TheShadowBrokers is announcing 'TheShadowBrokers Data Dump of the Month' service," the group wrote in its open letter on the Steemit website Tuesday. "Is being like wine of month club."

The hacker group claims that it still has 75 percent of the the US's cyber arsenal, and could release tools that exploit browser, router and phone vulnerabilities, as well as compromised network data from Russia, China, Iran and North Korea.

The Shadow Brokers originally tried selling off the stolen tools in an auction, but backed down after receiving no bidders. In the Tuesday letter, they said they weren't "interested in stealing grandmothers' retirement money," but wanted to send a message to the Equation Group, a hacking group linked to the NSA.

The Shadow Brokers said they'll release more details about their monthly data dump in June, including how interested subscribers could sign up. And after the massive success of WannaCry's ransomware breach, there's certainly much more demand.

"They've proven that these are highly effective tools in their possession, so people are going to be very interested in purchasing this, especially other criminals," Sean Dillon, a senior security analyst at RiskSense said. "They still have the government's tools, and they want to make money off of it."

It's already earned the hackers behind WannaCry more than $70,000 in just four days. The same EternalBlue exploit has also been used to infect computers with Aydlkuzz, malware that stealthily enslaves your PC to mine for cryptocurrency, according to researchers at Proofpoint.

Once somebody gets the data dump from the Shadow Brokers, Dillon said, the exploits would most likely become public. At the end of the letter, the hacker group hinted the NSA could make all these problems go away if the agency paid up for the tools.

When the Shadow Brokers first put the leaked tools up for sale, they demanded 1 million bitcoins, which then translated to $580 million. Currently, that amount is worth $1.76 billion.

"They can't pay anywhere close to the mark," Dillon said.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.