Security experts link WannaCry ransomware to Lazarus Group

Pierluigi Paganini May 16, 2017

In the IT security community several experts start linking the WannaCry ransomware to the Lazarus Group due to similarities in the attack codes.

The security researcher at Google Neel Mehta published a mysterious tweet using the #WannaCryptAttribution hashtag. What did he mean?

According to experts at Kaspersky, the string is a portion of code that Neel noticed in a very early variant of WannaCry ransomware found in February 2017 and in one of the malware used by the notorious Lazarus APT group dated back February 2015.

Wannacry ransomware vs Lazarus_02-1024x549

What does it all mean?

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

Researchers speculate the group was responsible for the last wave of attacks against banks worldwide, for the Sony hack, and the DarkSeoul operation.

Is it possible that attackers behind the WannaCry have used a false flag?

Experts from Kaspersky believe that the theory of a false flag is improbable because the portion of shared code appears only in the early version of WannaCry, but was removed later.

“For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.” reads a blog post shared by Kaspersky Lab.

The question is: is there a link between early February WannaCry variant and the sample used in the recent massive cyber attacks?

According to Kaspersky, the answer is “YES”.  The recent variant is able to target more file extension targets for encryption.

“We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourc ecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.” continues Kaspersky.

Kaspersky shared the YARA rule used to find the WannaCry sample.

Let me close with the analysis shared by Matthieu Suiche from Comae:

“The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.

If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.

This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.

In the meantime, a third kill switch appeared in the wild — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:

  • A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”.
  • Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem.!

Stay tuned

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WannaCry ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment