In the midst of the recent WannaCry attack, researchers were able to identify clues that link the massive ransomware outbreak to the hacker crew, Lazarus Group. This offensive cyber unit has been suspected of operating in North Korea for some time now. According to internet security experts at Symantec, there is now even more proof to support the theory that there exists as strong connection between WannaCry and Lazarus Group.
Researchers first noticed coding similarities between that used by Lazarus, believed to have responsibility for the 2014 Sony Pictures hack and an unprecedented $81 million bank heist, and the coding used for the WannaCry ransomware. Prior to that, a security expert from Google, Neel Mehta, had provided links for the WannaCry ransomware and to the Contopee cyber weapon, created by Lazarus.
Symantec researchers were able to identify evidence linking some of the earliest known variations of WannaCry, which varied only slightly with the version involved in the recent attack, to a few targeted attacks. Through a detailed examination of those earlier samples of WannaCry, Symantec concluded that there were similarities in the techniques, tools, and infrastructure that the attackers used and those used in earlier Lazarus attacks. This makes the likelihood that Lazarus was behind WannaCry almost certain.
However, the security corporation noted that rather than bearing the marks of a typical nation-state campaign, the attack was more similar to a cybercrime campaign. The ransomware infected upwards of 200,000 computers, a large percentage of them used in U.K. Hospitals. The perpetrators demanded a Bitcoin payment of $300 to unlock the files, and warned that they would be deleted if the payment was not received. It’s believed that they’ve earned over $100,000 in Bitcoin payments thus far.
A significant clue was discovered when the ransomware used to infect an early victim of the WannaCry attack was discovered to contain two variations of Destover, the same disk-wiping tool that attackers used in the Sony Pictures hack. Another tool, Volgmer, used by Lazarus to attack South Korean computers, was also discovered on the victim’s computers. The name of the victim hasn’t been released, but it is known that the ransomware infected 100 of their computers.
Additionally, the WannaCry ransomware took advantage of a backdoor called Alphanc to spread more quickly during attacks in March and April. The victims of that attack have also not been identified. Alphanc has been discovered to be a modified variation of software that has already been linked to Lazarus, called Duuzer, according to Symantec.
The only reasonable explanation for it is that either Lazarus is responsible, or someone has gone to great lengths to frame the group. Because faking evidence such as this is extremely difficult, it is much more likely that Lazarus will ultimately be discovered to be the culprit.
The original WannaCry attacks didn’t use the same leaked NSA tools that later attacks relied on. But, according to Symantec, there was very little difference used to encrypt .zip files contained in WannaCry across different samples. That makes it even more likely that all variations involved the same hacker group, Symantec says.