The WannaCry or WannaCrypt ransomware that infected tens of thousands of PCs worldwide starting May 12, and is still holding several thousand hostage, has been linked by security researchers to Lazarus group, which are said to be working for the North Korean government.
The Lazarus hacker group is allegedly held responsible for colluding with North Korea in the Sony Pictures hack of 2014 and $81 million-worth Bangladesh Central Bank heist in 2016.
The WannaCry ransomware attack was based on an NSA exploit dubbed Eternal Blue, which was leaked on the web by a group called ShadowBrokers.
Security researchers at Symantec claim to have discovered a link between the current ransomware threat to the way Lazarus has pulled off attacks in the past — using similar codes and malware strains.
“Aside from commonalities in tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus,” Symantec’s Security Response team stated.
In addition to the above malware strain, the researchers have also tied Lazarus to the current WannaCry ransomware attack as Infostealer.Fakepude and Trojan.Alphanc malware strains — which were used by the group in earlier attacks — have been used in the worldwide ransomware attacks now and the ones in March and April, respectively.
While security researchers at Symantec have followed the digital crumbs to conclude that the Lazarus group — state-sponsored by North Korea — is likely responsible for the WannaCry ransomware attack, security analysts at ICIT are of a different opinion.
“While it is possible that the Lazarus group is behind the WannaCry malware, the evidence is circumstantial at best. It remains more probable that the authors of WannaCry borrowed code from Lazarus or a similar source,” says James Scott, Senior Fellow, ICIT.
While pointing out that the ‘attribution to North Korea is premature and likely false’, the researcher at the Institute for Critical Infrastructure Technology (ICIT) believes that this could very well be the work of script kiddies — hackers who borrow malicious scripts from other attacks to execute one on their own.
“Had North Korea launched the WannaCry attack, it likely would have either attacked more strategic targets, or it would have attempted to capture more significant profits,” Scott adds.
The security researcher further points out that Lazarus group is known for its targeted and sophisticated attacks and tailored malware for an attack and it’s unlikely that they will ‘launch a global campaign dependent on barely functional ransomware’.
Remedy, Not Blame, Is Needed
The WannaCry ransomware attack wasn’t as sophisticated and mostly infected unpatched PCs, but is putting our energy and resources in finding the source of the attack more important than securing ourselves from future attacks?
Microsoft had launched an update to patch the system vulnerability in March, but a huge number of PCs running out-dated Windows XP version were hit.
The US National Security Agency (NSA) have an equal share in the blame if you’re throwing out any. They were the ones to discover and try to exploit the vulnerabilities for their own personal (or organisational) gains.
Had the vulnerabilities been reported earlier and not dumped on the web for others to exploit, WannaCry might never have had such a major impact.
Consumers are to blame too since a lot of PCs hit in China and India were running on pirated software which means that a lot of infected Windows PCs were incapable of receiving Microsoft’s update patching the vulnerability.
Free things are undoubtedly good, but as more and more vulnerabilities are discovered and an increased number of people populate the internet to capitalise on them, if your free software doesn’t come with updates, then you’re putting yourself at risk.
While all tech companies are constantly scrutinising their code via internal checks as well as bug bounty programmes, it’s important for consumers to ensure safety at their end.
The Lazarus group could be responsible for initiating the attack and it could be that other hackers are too, but the main concern here is the security of our internet connected devices.
With increased sophistication in tech surrounding the internet ecosystem and its integration with our daily lives, the quality of attacks and magnitude of its threat, both will also advance and it’s in all of our best interests to focus our energy on creating a more secure environment on the internet.