Researchers find link between North Korean hackers and Wanna Cry

© Getty Images

Researchers have discovered identical code in the Wanna Cry ransomware and a North Korean state hacking group. 

Wanna Cry has infected hundreds of thousands of machines across 150 countries. Victims have ranged from British hospitals to the Russian Ministry of the Interior, to a Spanish Telecom. 

Google security researcher Neel Mehta appears to be the first to have noticed that large swaths of computer code in an early version of Wanna Cry were identical to code used by the Lazarus Group, a team of hackers linked to the government of North Korea

Mehta tweeted midday Monday a roadmap researchers could use to find the overlapping code. 

The overlap has swayed other researchers. Kaspersky Lab noted that the matching code was removed from later versions of the ransomware, which they believe would be unlikely if it had been intended to throw researchers off the scent of the real criminals. The overlap only shows up in a sample from February. 

"We believe a theory a false flag although possible, is improbable," Kaspersky Lab explained in a blog post.

Lazarus Group is best known for hacking Sony Pictures in 2014 to protest the movie "The Interview." But recently it has been linked to a series of digital bank robberies that, in one case, stole $81 million from the central bank of Bangladesh. The robberies would, many suspect, provide a revenue stream while the country faces crippling sanctions. 

Kaspersky Lab describes the overlapping code as a significant piece of evidence but does not believe it solves the case. 

"For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of [Wanna Cry]," the company's post reads.

‘Wanna Cry’ virus infecting computers around the world, Tampa Bay area bracing for impact

TAMPA, Fla. – Monday, companies across the globe woke up to find they were under attack.

A virus known as “Wanna Cry” started infecting computers before the weekend, but many did not find out until they started trying to open files with the start of the work week.

More than 200,000 systems have been infected in over 150 countries around the world.

Systems at British Hospitals, Germany’s national railway, Spain’s biggest phone company and even Fed Ex in the United States have been victimized by the virus that demands corporations and individuals pay a ransom to regain files that have been encrypted by the attacker.

James Ullery at LED Tampa is familiar with the problem.

His company’s computers were infected by a virus in 2016.

An employee discovered the attack when he tried to open critical files on a company computer.

“He said ‘I can’t open up any of the camera files’ and he said ‘they are no longer JPGES,’ he said ‘they have some strange extension on the end of the camera files,'” said Ullery.

A message demanded the company pay $500 to regain access to the files.

“So, in essence, we couldn’t conduct business, because we had no access to any data that was current,” said Ullery.

His system back-up was more than 60-days-old and Ullery said at that point he had little choice, he elected to pay the ransom.

“You should back your data up as frequently as you can,” said Ullery.

At the Florida Center for Cyber Security at the University of South Florida, director Sri Sridharan said paying the ransom doesn’t always work.

“There are people who have paid the ransom, but they still have the ransomware on their screen, that it’s not been cleaned out. In other words, the attackers have not provided the decryption algorithms to release your data back to it’s normalcy,” said Sridharan.

Still, he said for some companies, it’s a calculated risk.

“It all depends on your situation, you’ve got to make a decision. If you are a company, if you are an enterprise and if your electronic records and patient records are locked up, you have to think twice about not paying a ransom,” said Sridharan.

He recommends frequent system back-ups on a remote system.

Sridharan also said companies and individuals should download and install software updates as soon as they are available.

In this case, Sridharan said Microsoft was aware of a potential security problem and sent out a patch to correct the problem long before the latest attack.

Sridharan said systems that did not install the patch were vulnerable to the attack.
Follow Jeff Patterson on Facebook

You’ve been hit! What should you do?

Isolate the infected computer immediately.

Disconnect your PC from any networks it’s connected to.

Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.

Power it off.

This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.

What happens next depends if you’re on a home PC or a work PC.

If you’re at home, get in touch with a local IT support company who’ll be able to get your computer back into working order.

If you’re at work, get in touch with your internal IT department, then make sure a notification is sent out telling everyone about the attack.

Contact law enforcement immediately.

It is strongly encouraged that you contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.

Should you pay the ransom?


The United States Government does not encourage paying a ransom to criminals.

Ransomware victims may also wish to consider the following factors:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.

• Some victims who paid the demand were targeted again by cyber actors.

• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.

• Paying could inadvertently encourage this criminal business model

Source: US Department of Justice, US Computer Emergency Readiness Team

North Korea May Be Linked To WannaCry Ransomware, Researchers Say

The WannaCry ransomware that attacked computers in 150 countries has lines of code that are identical to work by hackers known as the Lazarus Group, according to security experts. The Lazarus hackers have been linked to North Korea, raising suspicions that the nation could be responsible for the attack.

The connection was made by Google security researcher Neel Mehta, who pointed out similarities between WannaCry and malware used by Lazarus, the group that's been blamed for the Sony Pictures hack of 2014 and for stealing millions of dollars from a Bangladeshi bank in 2016.

After Mehta highlighted the elements in the code, other researchers confirmed similarities that early versions of WannaCry (also called WannaCrypt, Wana Decryptor or WCry) shared with malware tools used by Lazarus.

Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by @neelmehta from Google.

While the revelation stands as the most substantial public details about the cyberattack's origin, it's not seen as enough to assign blame — at least in part because it's common to copy code. But similarities in lines of malware have been traced to earlier Lazarus attacks at least as far back as 2013, when South Korean media companies were targeted. Those patterns were highlighted last year, when hackers used malware to go after banks.

"If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware," Dubai-based security researcher Matt Suiche writes. "This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from [NSA hackers] Equation Group to create global chaos."

The identity of whoever deployed the attack has remained a mystery, but it's widely known that the WannaCry "exploit" that was used to take control of vulnerable Windows computers was stolen from the National Security Agency. A rogue group published the malware online in April; after it was used, Microsoft President Brad Smith called out the U.S. government for "stockpiling" vulnerabilities.

The WannaCry attack made headlines on Friday after locking computers in the U.K.'s health system and Spain's largest telecom. There were no signs that it sought to single out the U.S. or South Korea, despite its emergence at a time of high tensions on the Korean Peninsula.

"At least 12 South Korean companies have been hit by the WannaCry computer virus," NPR's Lauren Frayer reports from Seoul. "It's disrupted ads for a local theater chain, and bus schedules in a small city south of the capital Seoul. But South Korea doesn't appear to be hurt any more than other countries."

Security firm Symantec says it has "identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry," which could have been used to help spread the worm to vulnerable computers. The company adds that the shared code is based on "a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools."

The WannaCry cyberattack has hit more than 300,000 computers, White House homeland security adviser Tom Bossert said Monday. He also said that while U.S. investigators don't know who is responsible for WannaCry, there are clues to follow.