The WannaCry ransomware managed to affect over 200,000 systems in 150 countries. A Microsoft Windows vulnerability, the ransomware took control over one s system and asked for ransom between $300 and $600 in Bitcoin for their encrypted files. Neel Mehta, a researcher at Google studied the attack and revealed a similarity between the codes used in WannaCry to that of North Korea s alleged cybercrime gang Lazarus Group. Kaspersky Lab agreed to the possibility of the Lazarus Group linked with WannaCry and now Symantec has provided more evidence on the same.
Lazarus Group is known for its cyber-espionage campaigns with the first being an attack on the South Korean government in Seoul. This cybercrime group is also behind the attack on Sony Pictures and the 2016 attack on the Bangladesh Bank. Symantec in its blog post, says that there were earlier versions of the WannaCry ransomware before its major outbreak on May 12. This first version of WannaCry affected systems in February, followed by the second one in March and April. These earlier versions used stolen credentials to spread the ransomware.
Symantec discovered that in both these previous attacks, tools such as the malware, the IP addresses, are mostly linked to the Lazarus Group. Three prices of malware used by the Lazarus group in the Sony Pictures attack were discovered in the first version of the WannaCry ransomware. The IP addresses for command and control of the malware in the March and April attacks were discovered to have been linked to the Lazarus Group. The codes used in these previous WannaCry attacks have also been linked to the Lazarus Group.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
Neel Mehta (@neelmehta) May 15, 2017
Symantec, however, clarifies that although the Lazarus Group is linked to the WannaCry ransomware these attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign . What ignited this linkage was the discovery made by Neel Mehta. Through a cryptic message, Mehta shared the similarity between two samples of codes used in the February WannaCry attack and an APT attack sample by the Lazarus Group in February 2015. In addition to this, Matt Suiche founder of UAE-based cyber security provider Comae Technologies confirmed the similarity discovered by Neel Mehta. ALSO READ: No, I don t WannaCry, but we re all collectively responsible for a lot of pain around us
Matthieu Suiche (@msuiche) May 15, 2017
Kaspersky Lab, which has been studying the Lazarus Group extensively, further revealed that the file extension targets for encryption used in the February WannaCry versions were in the May attack as well, with more extensions added. With more evidence pointing out to the possible linkage of the Lazarus Group with the WannaCry attacks, Kaspersky Lab calls for deeper investigation into this matter which could help unravel the deepest mysteries in cybercrime. ALSO READ: WannaCry ransomware attack: Microsoft Windows 7 most affected OS, XP count insignificant says Kaspersky