WannaCry ransomware, the worst cyber attack in recent years that affected more than 250,000 machines in around 150 countries is believed to have suspicious link with the North Korean government. Cyber-security experts believe the codes used in the earlier version of the Wanna Cry that hit last week would have been compiled or have links with the Lazarus Group, a gacker group backed by North Korea who held responsible for attack on Sony Pictures in 2014 as well as an $81m Bangladesh bank heist in 2016.
Google researcher Neel Mehta first spotted the similarities between the codes and a couple of security groups including Kaspersky and UAE-based Comae Technologies echoed the connection between the two attacks. However, experts say there are possibilities WannaCry creators to have barrowed or reused the code from Lazarus group’s 2015 backdoor code to set a ‘false flag’ in an attempt to confuse the investigation, but the similar code was removed from the early WannaCry encryptor.
“We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” said Kaspersky Lab in a blog post. Kaspersky has been investigating on Lazarus Group for years which published their modus operandi in detail back in April.
This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organization and control at all stages of operation. That’s why we think that Lazarus is not just another advanced persistent threat actor,” said Kaspersky.
As both earlier and the later variants of WannaCry encrytor contain ‘Killswitches’, it leads us to believe the WannaCry creatores are backed by a state as malwares developed by financial criminal groups are highly unlikely to use them. “Malware authors rarely wonder ‘What if this totally gets out of hand?'” Martijn Grooten, a security researcher for Virus Bulletin, told. “Killswitches in malware are rare, and I can only think of government malware with those built in. Governments care about collateral damage far more than criminals do. And North Korea has recently been active as the Lazarus group.”
Apparently, the clue might help the worldwide investigation to pin the origins of the worst malware the world has ever seen. Even if there is an evident connection between the North Korea and WannaCry ransomware, the state won’t confess about their involvement with the attack but the origins of the attack are far more unusual than anyone suspected.