North Korean Hackers from Lazarus May Be Behind WannaCry Ransomware Attack

A new twist to the WannaCry story puts the authors of the ransomware in North Korea. 

Earlier today, a Google researcher by the name of Neel Mehta posted a message on Twitter featuring the hashtag #WannaCryptAttribution.  

9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution — Neel Mehta (@neelmehta) May 15, 2017

Lazarus is a rather well-known hacker group. They've been linked to the Sony Wiper attack, as well as the Bangladesh bank heist that left them a few millions short. The group has been active since 2011 and hundreds of samples have been collected over the years in regards to Lazarus. Mostly, it was revealed that they were creating malware, producing new samples via "multiple independent conveyors."

Lazarus or copy-cats?

There are, of course, plenty of questions about whether this is true or just a ruse. After all, it's not that difficult for the WannaCry authors to have copied Lazarus' code. On the other hand, the code appears to have not been removed from the 2015 backdoor code, which makes the story that much more believable.

Folks at Kaspersky are pretty certain that the WannaCry sample made available in February 2017 was actually compiled by the same people behind the current attack, or by people with access to the same source code.

Other security researchers besides Mehta have also noticed the same similarity, such as Comae Technologies' Matthieu Suiche, who also discovered and killed a new variant by activating the kill switch.  

Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta - Is DPRK behind #WannaCry ? pic.twitter.com/uJ7TVeATC5 — Matthieu Suiche (@msuiche) May 15, 2017