Researchers at Symantec have found evidence the hacker collective known as Lazarus Group may be responsible for the WannaCry ransomware.
The researchers have found a number of similarities between earlier versions of WannaCry and attacks that Lazarus have conducted in the past.
“Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry,” Symantec writes on its official blog.
The links to Lazarus are incredibly technical but in the interest of clarity we’re going to lay them out here.
The first link follows WannaCry’s debut in February which used Trojan.Volgmer malware. At that stage WannaCry was also using two variants of Backdoor.Destover which Symantec says was used to destroy 1TB of data from Sony Pictures in 2014. That attack on Sony was linked to Lazarus.
Then in March researchers discovered WannaCry was using a modified version of the malware Backdoor.Duuzer called Trojan.Bravonc which was also linked to Lazarus.
The researchers report that Trojan.Bravonc, Backdoor.Duuzer and Backdoor.Destover used the same IP address for command and control.
Finally, researchers discovered that Backdoor.Contopee (more malware linked to Lazarus) contains code that has been found in WannaCry.
Of course, these similarities are not enough to say that Lazarus Group is responsible for the attacks but the evidence is compelling.
While Lazarus Group is said to have ties to North Korea it’s rather difficult to pin point where the group operates from and whether it is executing the attacks on behalf of another party.
As time goes on we may find more evidence that tells us who started the WannaCry attack, or perhaps we get lucky and somebody comes forward and claims ownership.