Security Analysts Say North Korea Linked Malware Shares WannaCry Ransomware Code. Security analysts have said that the WannaCry ransomware source, which has now spread to more than150 countries, might be Pyongyang or those who are trying to frame it. 

The analysts said that there are code similarities between the malware that has been attributed to the hackers from North Korea and the virus.


Speculation about the connection with North Korea rose on Monday when a Google security researcher found a likeness to the code that had been used on what has now been said to be an earlier version of the WannaCry ransomware and that of the hacker tool that was used by the Lazarus Group on Twitter. 

The post drew the attention of the experts as it contained what seems to be a random set of figures along with letters to the outside, along with the hashtag #WannaCryptAttribution. 

Kaspersky Lab explained that Mehta drew parallels between the WannaCry crypto sample of February 2017 and the Lazarus APT group sample of February 2015.


The revelation is said to be one of the biggest clues to date about the origins of WannaCry. 

The researchers also acknowledged that the use by the WannaCry attackers of the code that was similar was not enough to make a conclusion that was definitive about the origin. 

They said that there was the possibility it was a false flag operation and much more international effort would be needed to uncover the roots. 

They went on to say that it was important for other researchers around the globe to look into the similarities. 

They also pointed out that there was very little doubt that the code from February 2017 which was referenced by Mehta had been compiled by the same people or perhaps people who had access to the same source code as that was used in the attacks of current. 

Code Is Unique, Meaning Group Could Be Behind WannaCry Mathieu Suiche, a researcher from Comae Technologies said through Twitter that the code did have similarities that may put security experts on the hackers trail. 

He said that the WannaCry program and this one attributed to Lazarus did have code that was unique and so this group could also be the ones behind the WannaCry too. 

He also agreed with the researchers of Kaspersky that people should not rush to put the blame on North Korea solely based on those assumptions. 

He went on to say that attribution could be faked easily as it was a simple matter of moving bytes around. 

Symantec, the security giant in the US also voiced an opinion that was similar when they said that they had found a code that had been used in malware that was unique to the tools used by Lazarus, they would not speculate about the role of North Korea in the attack. 

They said that they had not been able to confirm the tools used by Lazarus deployed the WannaCry program on systems. 


The Lazarus Group has been said to be behind many high-profile attacks on the SWIFT servers of banks, one of which was an attempt to steal $851 million from the Central Bank in Bangladesh in February last year and it is thought to be responsible for the Sony Pictures hack in November 2014. 

There has not been any compelling proof to implicate North Korea or in fact any other state actor in the cyber heists, however, there has been some evidence found by Kaspersky Lab that does seem to suggest support of the speculation. 

In April they said that some of the IP addresses that had been used in the Lazarus attack had been traced back to North Korea, establishing a direct link between the cyber criminals who had been involved in the Lazarus operation and the rogue state. 

They did not name North Korea as a culprit due to lack of evidence.


The ransomware started spreading globally on Friday with the name of WannaCry and it exploits a vulnerability in Windows computers that was discovered first by the National Security Agency and then leaked by a hacker to the public with the name of Shadow Brokers, last month. 

Windows then closed the loophole by issuing an update. 

When the malware infects the system the user is sent a text file with a demand for $300 in Bitcoins and installs a timer that counts down on the wallpaper of the victim asking for the money otherwise private files will be deleted. 

One of the most notable of the victims in the UK was the National Health Service, while the Interior Ministry in Russia and the telecommunications company Telefonica in Spain was also affected. 

Check Point Software Technologies said that they had found and neutralized an updated version of the WannaCry program on Monday when they initiated a kill switch inside of the software. 

The WannaCry ransomware now seems to have passed its peak and the security expert at the front of the battle said that the attack is now done and dusted thanks to the effort of numerous specialists.


Popular Posts