Contrary to initial reports, the Bad Rabbit ransomware that hit Russia and Ukraine this week does in fact leverage an exploit linked to the U.S. National Security Agency (NSA).
Similar to the NotPetya wiper that infected tens of thousands of systems back in late June, Bad Rabbit also uses the Server Message Block (SMB) protocol to spread within the compromised network. However, researchers initially claimed that, unlike NotPetya, the ransomware did not use either of the SMB exploits tracked as EternalBlue and EternalRomance.
It turns out that while Bad Rabbit does not use EternalBlue, it does in fact leverage EternalRomance to propagate in the network. The presence of the exploit was first reported by Cisco Talos and later confirmed by F-Secure.