Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

North Korea Possibly Behind WannaCry Ransomware Attacks

An earlier WannaCry ransomware sample shows code similarities with malware used by a North Korea-linked hacking group responsible for multiple financial and destructive attacks, security researchers say.

An earlier WannaCry ransomware sample shows code similarities with malware used by a North Korea-linked hacking group responsible for multiple financial and destructive attacks, security researchers say.

Considered the world’s biggest ransomware attack to date, WannaCry went on rampage over the weekend, hitting targets in 150 countries and infecting over 230,000 computers at its peak. The spread slowed down on Monday, but not before new malware variations emerged.

The ransomware’s weak point was a hardcoded domain used for sandbox evasion, which also served as a kill-switch: once the domain was registered, the malware no longer infected new machines.

North Korea Behind WannaCry Ransomware?

Responsible for the massive outbreak was a worm component abusing the NSA-linked EternalBlue exploit to target a vulnerability in Windows’ Server Message Block (SMB). Microsoft addressed the flaw in its March 2017 security updates (the MS17-010 patch), and also issued an emergency patch for unsupported platforms over the weekend.

WannaCry initially emerged in February, but didn’t make an impact then. Unlike the most recent attack, the previous infection runs used standard distribution methods, such as spam emails and malware droppers. The recent ransomware samples are also different from the previous iteration, code-wise.

Neel Mehta, a researcher at Google, was the first to notice code similarities between the February 2017 WannaCry variant and a February 2015 sample tied to the North Korean-linked hacking group Lazarus. The actor is supposedly responsible for the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016 and for the devastating attack against Sony Pictures in 2014. 

Also referred to as BlueNoroff, Lazarus has been associated with various global attacks, and security researchers consider it the most serious threat against banks. Earlier this year, the actor targeted banks in Poland as part of a larger campaign targeting financial organizations around the world.

“The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research. During that research, hundreds of samples were collected and show that Lazarus is operating a malware factory that produces new samples via multiple independent conveyors,” Kaspersky Lab says.

Advertisement. Scroll to continue reading.

At the moment, Neel Mehta’s discovery represents the most significant clue related to WannaCry’s origins, as it didn’t take long before others confirmed the connection with Lazarus, including Kaspersky, Matthieu Suiche from Comae Technologies, and Symantec.

According to Kaspersky, it’s improbable that the code similarities represent a false flag. The Lazarus-linked code present in the early variant of WannaCry has been removed in the later versions, but both ransomware variants were “compiled by the same people, or by people with access to the same sourcecode,” the security firm says.

Symantec, on the other hand, was also able to pinpoint exactly the Lazarus tools the older WannaCry samples share similarities with. “This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants,” the company said.

Last year, Symantec linked the Banswift Trojan that was used in the Bangladesh attack to manipulate SWIFT transactions with early variants of Contopee, which was already known to be used by attackers associated with Lazarus. In their report on Op Blockbuster, BAE Systems also suggested the Bangladesh heist and the 2014 Sony attack were linked.

“Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed,” the security firm continues.

A definite link between Lazarus and WannaCry can’t be established at the moment, but the connection certainly requires further investigation. Symantec says they plan a deeper analysis of this, while Kaspersky has shared its Yara rule and has also called for other security firms to look into this.

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

Related: Kaspersky Links Global Cyber Attacks to North Korea

Related: Sony Hackers Linked to Many Espionage, Destruction Campaigns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...