Security Experts:

Connect with us

Hi, what are you looking for?



North Korea Possibly Behind WannaCry Ransomware Attacks

An earlier WannaCry ransomware sample shows code similarities with malware used by a North Korea-linked hacking group responsible for multiple financial and destructive attacks, security researchers say.

An earlier WannaCry ransomware sample shows code similarities with malware used by a North Korea-linked hacking group responsible for multiple financial and destructive attacks, security researchers say.

Considered the world’s biggest ransomware attack to date, WannaCry went on rampage over the weekend, hitting targets in 150 countries and infecting over 230,000 computers at its peak. The spread slowed down on Monday, but not before new malware variations emerged.

The ransomware’s weak point was a hardcoded domain used for sandbox evasion, which also served as a kill-switch: once the domain was registered, the malware no longer infected new machines.

North Korea Behind WannaCry Ransomware?

Responsible for the massive outbreak was a worm component abusing the NSA-linked EternalBlue exploit to target a vulnerability in Windows’ Server Message Block (SMB). Microsoft addressed the flaw in its March 2017 security updates (the MS17-010 patch), and also issued an emergency patch for unsupported platforms over the weekend.

WannaCry initially emerged in February, but didn’t make an impact then. Unlike the most recent attack, the previous infection runs used standard distribution methods, such as spam emails and malware droppers. The recent ransomware samples are also different from the previous iteration, code-wise.

Neel Mehta, a researcher at Google, was the first to notice code similarities between the February 2017 WannaCry variant and a February 2015 sample tied to the North Korean-linked hacking group Lazarus. The actor is supposedly responsible for the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016 and for the devastating attack against Sony Pictures in 2014. 

Also referred to as BlueNoroff, Lazarus has been associated with various global attacks, and security researchers consider it the most serious threat against banks. Earlier this year, the actor targeted banks in Poland as part of a larger campaign targeting financial organizations around the world.

“The scale of the Lazarus operations is shocking. The group has been very active since 2011 and was originally disclosed when Novetta published the results of its Operation Blockbuster research. During that research, hundreds of samples were collected and show that Lazarus is operating a malware factory that produces new samples via multiple independent conveyors,” Kaspersky Lab says.

At the moment, Neel Mehta’s discovery represents the most significant clue related to WannaCry’s origins, as it didn’t take long before others confirmed the connection with Lazarus, including Kaspersky, Matthieu Suiche from Comae Technologies, and Symantec.

According to Kaspersky, it’s improbable that the code similarities represent a false flag. The Lazarus-linked code present in the early variant of WannaCry has been removed in the later versions, but both ransomware variants were “compiled by the same people, or by people with access to the same sourcecode,” the security firm says.

Symantec, on the other hand, was also able to pinpoint exactly the Lazarus tools the older WannaCry samples share similarities with. “This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants,” the company said.

Last year, Symantec linked the Banswift Trojan that was used in the Bangladesh attack to manipulate SWIFT transactions with early variants of Contopee, which was already known to be used by attackers associated with Lazarus. In their report on Op Blockbuster, BAE Systems also suggested the Bangladesh heist and the 2014 Sony attack were linked.

“Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed,” the security firm continues.

A definite link between Lazarus and WannaCry can’t be established at the moment, but the connection certainly requires further investigation. Symantec says they plan a deeper analysis of this, while Kaspersky has shared its Yara rule and has also called for other security firms to look into this.

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

Related: Kaspersky Links Global Cyber Attacks to North Korea

Related: Sony Hackers Linked to Many Espionage, Destruction Campaigns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.