Who Conducted the WannaCry Ransomware Attacks?
The WannaCry ransomware attacks that started on Friday May 12 rapidly spread to more than 150 countries. While the attacks have been halted, IT security professionals are still scrambling to secure their systems and the search is now on for the perpetrators.
Malware researchers are analyzing the ransomware code and attack method to try to find clues that will reveal who conducted the WannaCry ransomware attacks.
At this stage in the investigation, no concrete evidence has been uncovered that links the attacks to any individual or hacking group, although a Google security researcher, Neel Mehta, has found a possible link to the Lazarus Group; a hacking organization believed to be based in China with links to North Korea.
The Lazarus Group is thought to be behind the attack on Sony Pictures in 2014 and the major heist on the Bangladesh central bank in February this year. While the link between the Lazarus Group and North Korea has not been comprehensively proven, the U.S. government is sure the group has been backed by North Korea in the past.
WannaCry Ransomware Code has been Reused
Mehta discovered parts of the ransomware code from the latest attacks were the same as code in a 2015 backdoor used by the Lazarus Group, suggesting the WannaCry ransomware attacks were conducted either by the Lazarus Group or by someone who has access to the same code.
Mehta also compared the code from the latest WannaCry ransomware variant and the backdoor to an earlier version of WannaCry ransomware from February and found code had been shared between all three. Symantec’s researchers have confirmed the code similarities.
Whether the Lazarus Group conducted the attacks is far from proven, and there is no evidence to suggest that were that to be the case, that the group had any backing from North Korea. The group could have been acting independently.
While some have called this link ‘strong evidence’, it should be explained that comparing code between malware samples does not confirm origin. Code is often reused and it is possible that the actors behind this campaign may have put in a false flag to divert attention from themselves onto the Lazarus Group and North Korea.
While the false flag idea is possible and plausible, Kaspersky Lab believes it is improbable and that the similarities in the source code point the finger of blame at the Lazarus Group.
Many Questions Remain Unanswered
The link with the Lazarus Group/North Korea is now being investigated further, but there are currently many questions unanswered.
The ransomware included a self-replicating function making it act like a worm, allowing it to rapidly spread to all vulnerable computers on a network. The sophistication of the attack suggests it was the work of a highly capable organization rather than an individual. However, the kill switch in the ransomware that was discovered by UK researcher ‘Malware Tech,’ allowed the infections to be halted. Such an ‘easily found’ kill switch would be atypical of such a sophisticated hacking group.
Previous attacks linked with the Lazarus Group have also been highly targeted. The WannaCry ransomware attacks over the weekend were purposely conducted in multiple countries, including China and Russia. The widespread nature of the attacks would be a departure from the typical attack methods used by Lazarus.
There are doubts as to whether North Korea would back an attack on its neighbours and allies, and while financially motivated attacks cannot be ruled out, past state-sponsored attacks have had a political purpose.
At this stage, it is not possible to tell who conducted the WannaCry ransomware attacks, but the latest discovery is an important clue as to who may be responsible.