Symantec: "Highly likely" North Korea was behind WannaCry global ransomware attacks

More links uncovered between WannaCry ransomware and North Korean-government linked gangs

Security specialists Symantec has claimed that it is "highly likely" that North Korea was behind the WannaCry global ransomware attack that infected more than 300,000 computers worldwide, and affected as many as one-fifth of NHS hospital trusts in the UK.

In a blog posting analysing the code behind the attack, Symantec claimed that there are strong links between the code used in the WannaCry attacks and malware tools used in attacks against Sony Pictures in 2014 and the $81m cyber-heist perpetrated against Bangladesh Bank last year.

The WannaCry 2.0 ransomware attacks earlier this month used almost exactly the same code as the WannaCry 1.0 attacks in February, March and April this year, which gained barely any traction, with the only difference the method of propagation.

WannaCry 2.0 made use of a Microsoft SMB networking protocol exploit that, for years, had been used by the US National Security Agency, until it was stolen by the Shadow Brokers hacking group earlier this year.

Symantec linked the WannaCry outbreak to what it calls 'Lazarus'.

"Analysis of these early WannaCry attacks by Symantec's Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry.

"Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe," claimed Symantec.

The company linked a number of types of malware to Lazarus/North Korea:

• Trojan.Volgmer, and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks;
• Trojan Alphanc, which was used to spread WannaCry 1.0, which is a modified version of Backdoor.Duuzer;
• Trojan Bravonc, which uses similar code obfuscation to WannaCry and Infostealer.Fakepude; and
• The shared code between WannaCry and Backdoor.Contopee.

However, analysis of the code left behind from WannaCry 1.0 has helped to link WannaCry 2.0 with the North Korean Lazarus group, according to Symantec.

"These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks.

"The leak of the EternalBlue exploit was what allowed the attackers to turn WannaCry into a far more potent threat than it would have been had they still been relying on their own tools, since it bypassed many of the steps the attackers previously had to take, removing both the need to steal credentials and copy it from computer to computer."

Links between WannaCry and North Korea was first made last week by Google security researcher Neel Mehta. In the wake of the WannaCry attacks, Google has also been criticised for refusing to patch a security flaw in Android that is used by three-quarters of all ransomwhere propagated on the company's mobile platform.