Written by Shannon Vavra

Senior National Security Agency officials have no evidence a tool developed by the NSA “played a role” in the ransomware attack on Baltimore, Rep. Dutch Ruppersperger said Friday following a briefing at the agency’s headquarters.

Ruppersberger, D-Md., and other officials requested briefings with the agency following a report from The New York Times that the exploit, known as EternalBlue, was used to help spread the RobbinHood ransomware variant across the city’s IT infrastructure.

“I have been told that there is no evidence at this time that EternalBlue played a role in the ransomware attack currently affecting Baltimore City,” Ruppersberger said in a statement. “I’m told it was not used to gain access nor to propagate further activity within the network.”

A followup briefing with other members of Maryland’s congressional delegation is expected to be held Monday. The Federal Bureau of Investigation has confirmed to CyberScoop it is currently investigating the Baltimore attack.

“It is important that discussions regarding the use of government cyber tools, and subsequent leaks, be rooted in facts as they become available,” Ruppersberger said.

It’s unclear how the NSA has come across evidence that refutes what sources told the New York Times. Multiple private companies have been called in by Baltimore city officials to perform the incident response. No information from those efforts has been released publicly.

Senior NSA cyber adviser Rob Joyce did not go so far Thursday as to directly refute the Times’ reporting, but he did say that there is not an “indefensible” nation-state-built tool that is spreading ransomware.

“The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue,” Joyce said.

Joyce, who was speaking stressed the importance of quickly patching vulnerabilities, especially when they are critical. Microsoft released a patch for the vulnerability in 2017.

“Two years have gone by — network administrators are responsible for ensuring that system patches are up-to-date,” Joyce said.

IT officials in Baltimore had previously warned city leadership their network infrastructure was “a natural target for hackers and a path for more attacks in the system,” according to report obtained by the Baltimore Sun.

According to security researchers, EternalBlue has never been used in conjunction with RobbinHood. The CEO of Dragos, Robert M. Lee, told CyberScoop he is more convinced than ever the Times has been getting “bad information” about the ransomware attack in Baltimore.

“Proving EternalBlue was used would be an easy thing to do if the information was accurate. Nothing has been put forth to do that,” Lee said in an email. “However, we now have technical details that are conflicting and cast doubt on the information being passed to the NYT. Case details get muddled sometimes though, it happens.”

Despite the fact that there isn’t public evidence that EternalBlue has been used in RobbinHood before, researchers have previously said it is possible nefarious actors may have begun to change the way they launch RobbinHood and may have incorporated EternalBlue as a part of shifting tactics.

“It’s incredibly possible that they’ve adapted their ransomware to include EternalBlue,” Allan Liska, Recorded Future’s threat intelligence analyst, told CyberScoop.



Moving forward, Ruppersberger hopes the conversation about Baltimore can focus on how municipalities can recover from these kinds of attacks.

“Now, our focus now should be on Baltimore’s recovery. It is my understanding that the FBI is leading an ongoing investigation and I look forward to hearing deeper analysis from them when they conclude,” Ruppersberger said. “The reality is that patching can be hard and requires resources that many municipalities don’t have.”

The NSA declined to comment.