WannaCry ransomware may bear links to a previous malware which had a role in a Bangladesh bank heist as well as an attack on Sony Pictures in 2014.
A security researcher at Google has revealed that WannaCry shares an identical code with a malware used by the Lazarus group in 2014.
Between 2013 and 2014, a prolific hacker group calling themselves Lazarus wreaked havoc around the world. The group was said to be involved in a destructive cyber-attack on Sony Pictures which destroyed up to 1TB worth of data, an online heist on a Bangladesh bank and an attack on thousands of hard drives in South Korea which also destroyed tonnes of data.
Security researchers have often linked Lazarus to North Korea. Speculations include either the country personally orchestrating such cyber-attacks or funding international hacker groups to do the dirty work for them. Lazarus hasn’t been very active since, but a recent tweet by Neel Mehta, a security researcher at Google, suggests that the recent WannaCry ransomware may share an identical code with Cantopee, a malware used by the Lazarus group to attack systems around the globe.
However, while the codes suggest similar patterns being used by hackers behind both malware, researchers haven’t irrefutably established the link so far. “For now, more research is required into older version of WannaCry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure—Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” noted researchers at Kaspersky Labs.
Martijn Grooten, a security researcher at Virus Bulletin told Ars Technica that there are several factors which establish that WannaCry originated in North Korea, or is state-sponsored. WannaCry carries a kill switch which enables hackers to switch off the malware’s operation in certain systems whenever they please. This is mostly a tool used by state-sponsored hackers to kill off malware when objectives are achieved or to prevent collateral damage, like killing off their own systems.
“Killswitches in malware are rare, and I can only think of government malware with those built in. Governments care about collateral damage far more than criminals do. And North Korea has recently been active as the Lazarus group,” he said.
Hackers behind WannaCry have so far used kill switches to kill off malware in certain systems after victims paid them between $300 to $600 as ransom. The malware has affected hundreds of thousands of systems across 150 countries but several government agencies and businesses have saved their systems by shutting them down or disconnecting them from the internet. In the UK, the NHS bore the brunt of the attack with as many as 16 NHS hospitals suffering outages or system shutdowns over the past few days.