WannaCry Ransom Worm Creators Blamed for Two Previous Attacks

Security researchers say its highly likely hackers linked to North Korea were responsible for the recent widespread WannaCry ransomware attack. The same group, dubbed Lazarus, was previously blamed for two other high profile online attacks.

According to security firm Symantec, the WannaCry attacks bore five distinct hallmarks of previous attacks thought to be the work of the Lazarus group. This includes shared code such as that used to spread the malware from machine to machine. Other common factors include the same IP address being used to issue commands to infected machines, and similar techniques being used to try to disguise the malicious code.

The researchers also discovered that the same password was used to encrypt files and that only a few Bitcoin wallets (equivalent to an online account) were used to collect the ransom money. That suggests that unlike some malware, which is shared among cyber crime groups, WannaCry was the work of a single group of hackers.

Windows Bug Led To Worldwide Chaos

Symantec also confirmed that the key to the ransomware being so popular was due to a modified exploit derived from a known SMB vulnerability in Windows. It said this changed it "from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years." More than 300,000 computers worldwide were affected by the attack. (Source: symantec.com)

The Lazarus group has previously been labeled responsible for two major attacks. One was on Sony in 2014, which stole personal data about tens of thousands of employees along with internal emails, some of which proved embarrassing. That attack was thought to be influenced by North Korea in response to a Sony movie accused of mocking the country's leadership in the movie "The Interview".

Lazarus was also blamed for an attack on the Bangladesh central bank last year that took more than $100 million through fraudulent online transactions.

Rogue Hacker Could Be Responsible

While both of those attacks had motivations that would be of interest to a government - namely politics and finance - the WannaCry attack sought the relatively "low" ransom of $300 from victims. Symantec says it doesn't believe a nation state was running WannaCry despite the connections to previous attacks. (Source: reuters.com)

One explanation could be that North Korea had simply encouraged those responsible to use WannaCry to cause disruption to other countries. Another is that the North Koreans had nothing to do with it and instead some 'rogue' Lazarus members were simply trying to make some money on the side.

What's Your Opinion?

Do you believe North Korea was behind the WannaCry attacks, either directly or indirectly? If so, should other countries retaliate? Should a cyber attack that compromises infrastructure such as hospital computer networks be treated in the same way as a physical attack?