North Korea may have connection to WannaCry ransomware action

Posted May 17, 2017

As for New Zealand, the Government's cyber security agency cert says there are only unconfirmed reports of local attacks but it has warned about an emerging phone scam - people ring claiming to be from Microsoft and offering ransomware support, but then trick you into installing malware onto your computer and then demanding payment to remove it.

The connection was made by Google security researcher Neel Mehta, who pointed out similarities between WannaCry and malware used by Lazarus, the group that has been blamed for the Sony Pictures hack of 2014 and for stealing millions of dollars from a Bangladeshi bank in 2016.

Google security researcher Neel Mehta has now linked the attack this weekend to the group.

Researchers at Kaspersky Lab's GReAT team analyzed the information and identified and confirmed clear code similarities between the malware samples.

"This level of sophistication is something that is not generally found in the cybercriminal world". "Perhaps Symantec has more to go on than us at this point, but we are not seeing a DPRK link with the WannaCry worm campaign at this point". Two security companies found evidence connecting the specific ransomware to North Korean cybergang Lazarus Group, The Guardian reported.

David Emm, principal security researcher at Kaspersky Lab, said there was a "commonality of code" between the WannaCry and Lazarus viruses.

He told the Press Association: "There's a precursor to the WannaCry, a WannaCry sample that goes back to February".

Symantec and Kaspersky are investigating whether hackers from Lazarus Group were responsible for infecting an estimated 300,000 machines in 150 countries.

"Looking at that, there seems to be some commonality".

However, the theory of WannaCry's perpetrators having planted a "false flag" to fake attribution to an innocent party, while possible, is improbable.

Plane with New York CEO, 3 others, missing in Bahamas
At the time, the aircraft was off Eleuthera, flying at a speed of 300 knots at an altitude of 24,000 feet, the Coast Guard said. On Tuesday, a C-130 and an MH-60 Jayhawk helicopter searched, the Coast Guard said. "I am sad and in shock", she wrote.

Australia and NZ largely escape global cyber attack
Europol provides free decryption downloads for most ransomware already detected, though not yet for this particular attack. State media reported that digital payment systems at some gas stations were offline, forcing customers to pay cash.

Judge orders Uber not to use technology taken from Waymo
A judge recently ruled Uber Technologies is definitely responsible for this, and granted a partial injunction against the company. Waymo is now involved in a fierce court battle with Uber over alleged intellectual property theft and patent violation.

Investigators might also be able to extract some information about the attacker from a previously hidden internet address connected to WannaCry's "kill switch".

Did North Korea Sponsor The WannaCry Attack?

Beyond the immediate need to bolster cyber security, the issue also brought to light the discussion of the roles played by national governments in cyber security.

"But if you're looking at agencies like the Federal Bureau of Investigation, clearly they have access to intelligence that we don't".

There are still a lot of things that are unclear regarding the devastating WannaCry ransomware attack, but security researchers may be getting closer to understanding its origin.

Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped nearly a terabyte's worth of data from Sony Pictures in 2014, and siphoned nearly $1 billion from the Bangladesh Central Bank previous year by compromising the SWIFT network used to transfer funds.

Patients are no longer being diverted away from hospital accident and emergency units after restrictions put in place following the cyber attack on the health service were lifted, NHS England has said.

A senior researcher from South Korea's Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August.

Investigators suspect the attack wasn't meant to extort money as most ransomware attacks do.

In a letter to The Times, Sir David said: "Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)?"