The source for WannaCry ransomware, which has spread to 150 countries, may be Pyongyang or those trying to frame it, security analysts say, pointing to code similarities between the virus and a malware attributed to alleged hackers from North Korea.
The speculation over a North Korean connection arose Monday, after the well-known Google security researcher Neel Mehta revealed a resemblance between the code used in what is said to be an early version of WannaCry ransomware and that in a hacker tool attributed to the notorious Lazarus Group in a Twitter post.
Containing what might look like a random set of figures and letters to an outsider accompanied by the hashtag #WannaCryptAttribution, the post has immediately drawn attention of cybersecurity experts and has been since extensively shared. Shedding light on the otherwise cryptic message, Kaspersky Lab explained in a blog post that Mehta drew parallels between “a WannaCry cryptor sample from February 2017” and “a Lazarus APT [Advanced Persistent Threat] group sample from February 2015.”
Labelling Mehta’s revelation “the most significant clue to date regarding the origins of WannaCry, ” Kaspersky researches at the same time acknowledged that the apparent use by the WannaCry attackers of the similar code is not enough to come to definitive conclusions about its origin, as there is a possibility of it being a false flag operation and more international effort is necessary to unearth its roots.
“It’s important that other researchers around the world investigate these similarities, ” the post reads.
At the same time, they said there is little doubt that February 2017 code, referenced by Mehta, “was compiled by the same people, or by people with access to the same source code” as the current spree of attacks.
Another renowned researcher, Matthieu Suiche from Comae Technologies, also said on Twitter that the discovered code similarities might have put security experts on the trail of the hackers.
“WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also, ” Suiche said, as cited by Wired.
However, he agreed with Kaspersky researchers that it would be wrong to rush to pin the blame on North Korea, based on these assumptions.
