Experts probe potential link of ransomware cyber attack to North Korea

Janie Parker
May 17, 2017

According to some cybersecurity experts, the source for the notorious WannaCry ransomware could be North Korea as they have spotted code similarities between the virus and other malicious software tools attributed to hackers from the reclusive nation.

Investigators have indicated detecting similar code to that which was used by the Lazarus Group, a cybercrime network that was implicated in the Sony cyber attack.

WannaCry paralysed computers running mostly older versions of Microsoft Windows in 150 countries. "This group might be behind WannaCry also", he added. Infected hospitals soon responded by turning away patients and rerouting ambulances.

The spread of the WannaCry virus has slowed as new cyberdefenses have been put in place, but the malware still found its way into hundreds of thousands more computers while businesses and governments assessed the damage and planned their next moves. The outbreak was largely contained because the attackers failed to secure a domain name hard-coded into their exploit.

Security firms Kaspersky and Symantec then analysed the two samples, and found that part of the WannaCry code had actually been copied from Contopee.

"According to Kaspersky Lab researchers, the similarity of course could be a false flag operation", the firm said in a statement. This meant that the similarity to the Cantopee code was not meant to serve as a decoy. "One thing is for sure - Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry", Kaspersky said in a blog post.

An alternative theory is, if indeed it was the Lazarus Group, that it was working alone, simply to cause a degree of chaos.

Kaspersky Labs is an analysis said more investigation will help in uncovering more mysteries surrounding the attack.

A major attack on Sony Pictures brought the movie studio to its knees in 2014.

North Korea: New long-range missile can carry heavy nuke
South Korea's Defense Ministry said more analysis was needed to verify the North's claim on the rocket's technological features. USA officials said the missile hit the water around 60 miles (around 100 kilometers) from eastern Russia's Vladivostok.


Other researchers agreed that the shared code between WCry and Cantopee was important. The company had it had spotted tools that were specifically used by the Lazarus Group on computers that were previously infected with an early version of the virus. It behaves like the standard ransomware used by cyber criminals, and it is unclear why a country such as North Korea would be interested in payments of $300 at a time for each victim.

According to Amanda Rousseau, malware researcher at security firm Endgame, it's hard to catch cybercriminals.

If North Korea, believed to be training cyber warriors at schools, is responsible for the latest attack, Mr Choi said the world should stop underestimating its capabilities and work together to think of a new way to respond to cyber threats, such as having China pull the plug on North Korea's internet. The code, published on Twitter, is exclusive to North Korean hackers, researchers said.

A North Korean origin might also explain why the malware was fraught with other unusual behaviour, including the failure to secure the domain name that triggers the killswitch.

He told a news conference that "it appears that less than $70,000 has been paid in ransoms and we are not aware of payments that have led to any data recovery".

Readers should know that the usual caveats apply about hacking attribution being fraught with potential errors.

However, not everyone agrees that the North is behind the attacks. Still though, any evidence is only circumstantial.

"They didn't tell Microsoft about the vulnerability, they tried to use it instead, and two, they allowed this attack tool to be stolen, right out from under their noses", Clarke said.

Other reports by TheDailyFarc

Discuss This Article

FOLLOW OUR NEWSPAPER