The ‘WannaCry’ strain of ransomware that has infected hundreds of thousands of victims across 150 countries may be linked to North Korea, researchers have found. One well-known hacking team, dubbed “Lazarus Group”, was specifically name-checked.
The coding similarities were first uncovered by Neel Mehta, a security researcher at Google, who dug up links between WannaCry and strain of malware called “Contopee” – previously referenced during the probe into the massive Bangladesh Bank heist last year.
Cybersecurity firm Kaspersky Lab, which previously revealed Lazarus Group was involved with the 2015 Sony Pictures hack, said on 15 May that investigators must now “investigate these similarities and attempt to discover more facts about the origin of WannaCry.”
“Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group,” a blog post read.
The researchers continued:”In time, more evidence appeared and allowed us, and others, to links them together with high confidence. Further research can be crucial to connecting the dots.
“We believe this might hold the key to solve some of the mysteries around this attack.
In a statement to IBTimes UK, Symantec said: “Over the weekend, we began investigating connections of WannaCry to known groups we are monitoring.
“We discovered that earlier versions of WannaCry in April and early May that weren’t widely distributed unlike the recent outbreak were found on systems shortly after being compromised with known Lazarus tools.
“However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems. In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections.
“We are continuing to investigate for stronger connections.”
‘Havoc and embarrassment’
Responding to the news on Twitter, Claudio Guarnieri, a senior technologist at Amnesty International and researcher at Citizen Lab, said the discovery of linked malware was “huge if true.”
He tweeted: “That could explain the general sloppiness and lack of a decryption process, if the intent is to quickly cause havoc and embarrassment. That said, we need to be cautious. We definitely need more data points before being confident about this connection.”
WannaCry was responsible for a major incident on 12 May (Friday) after it quickly infected organisations across the world, including the UK health service. It was effective due to the fact it was based on an NSA exploit leaked earlier in the year by a group called ‘Shadow Brokers’.
Law enforcements around the globe are now scrambling to investigate the computer meltdowns. Organisations, meanwhile, are rushing to patch systems before a new variant of the notorious ransomware is able to infect machines running outdated software. – IBTimes