Symantec Suspects WannaCry Comes From North Korea

Symantec's researchers have uncovered a potential link between the WannaCry ransomware worm, that hit systems just over a week ago, and code used by the Lazarus Group, the hackers that attacked Sony in 2015 and $81M theft from the Bangladesh Central Bank and are believed to be based in North Korea.

These are the links Symantec has identified:

  • Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.
  • Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.
  • Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.
  • Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus
  • There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

Symantec's blog article goes into detail into how WannaCry works and how different attacks are connected.


Comments

    So they have found SIMILAR code to a group that MAY be based in North Korea. Sounds like they are trying to blame them no matter what, why not blame Russia or China? There are North Koreans all over the world, put a million coders in a room and I guarantee you will see almost same code, if not similar.

    Then again, the new attackers could have stolen the code?

Join the discussion!