WannaCry ransomware started taking over affected users’ files on Friday morning, demanding up to $300 to restore access to normal. Many are wondering who’s behind the ransomware known as, “WannaCry,” “Wanna Decryptor,” or “WannaCrypt.” Well, a security researcher found evidence linking the malware to a North Korean operation known as the Lazarus Group. Analysts at BBC said three accounts linked to the ransom demands suggested only about $38,000 had been paid by Monday morning.
On Monday, Google security researcher, Neel Mehta, issued a cryptic tweet that contained only a set of characters. They referred to two portions of code in a pair of malware samples, along with the hashtag, #WannaCryptAttribution, according to Fortune. Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies, said the code is shared between the two programs.
“There’s no doubt this function is shared across these two programs… WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”
The Lazarus Group, which is responsible for a series of online heists targeting central banks, is believed to be a North Korea military operation that funds its cyber warfare operations through crime. The current behavior of ransomware attacks would be consistent with previous behavior by the Lazarus Group.
According to Suiche, that chunk of commands represents an encoding algorithm. Following a series of high-profile attacks, Lazarus rose to notoriety. A major attack included the hack of Sony Pictures in late 2014. According to Wired, they were later identified by US intelligence agencies as a North Korean government operation.
More recently, researchers believe that Lazarus compromised the SWIFT banking system and netted tens of millions of dollars from Vietnamese and Bangladeshi banks. Contopee was one of the tools used in the hackings, according to Security firm Symantec.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
Eric Chien at Symantec said as follows.
“Whenever a high profile attack or breach breaks out, we basically dig into it and look to see if we can find indicators that match known groups that we’re tracking… Right now we’ve uncovered a couple of what we would call weak indicators or weak links between WannaCry and this group that’s been previously known as Lazarus.”
However, it was too early to tell whether North Korea was involved in the attacks.
“Lazarus was behind the attacks on Sony and the Bangladesh banks. But these indicators are not enough to definitively say it’s Lazarus at all.”
— Forbes (@Forbes) May 16, 2017
John Miller, a manager of threat intelligence cyber security company FireEye, told NBC News the company was detecting new versions of the malware which appeared to be done by third parties.
“We have seen a couple new variants come out and it has actually been unclear if those are by the original authors.”
The malware acts like a worm and finds security holes in a computer to spread throughout a network. It then exploits vulnerabilities in Microsoft operating systems — especially those with outdated software. In an attempt to block the virus, Microsoft said it has been pushing out special automatic updates to those older systems.
Adam Meyers, the vice president of intelligence at cybersecurity firm, Crowdstrike, told MSNBC on Monday that what made the virus “so dangerous” that it actually can spread by itself.
“In most previous cases you would actually get an email. You would have to click on that email or click on a link and you’d become infected… In this case, it can actually spread from computer-to-computer by itself.”
On Monday, Kaspersky followed up on Mehta’s tweet with a blog post and decided to analyze the two samples. However, while they noted the shared code in the Lazarus malware and the early version of the WannaCry, they stopped short stating with certainty that the ransomware stemmed from the state-sponsored North Korean operation.
“For now, more research is required into older versions of WannaCry,” the company wrote. “We believe this might hold the key to solve some of the mysteries around this attack.”
[Featured Image by Wong Maye-E/AP Images]