The story about WannaCry ransomware isn’t over yet. There is a possibility that the hackers behind the infection are the infamous North Korean cyber gang – Lazarus.
Yesterday, Neel Mehta, who is a Google researchers, posted a message on Twitter that features the hashtag “#WannaCryAttibution”. Kaspersky Lab adds that the post also contains samples from the WannaCry cryptor from February this year as well as a Lazarus APT sample from two years ago. The commands in the message are actually an encoding algorithm.
Lazarus is a notorious cyber gang which has been active since 2011. Up until now, the group has been connected to multiple cyber-attacks including the Sony Wiper one and the Bangladesh bank heist.
Over the years, researchers have collected numerous samples regarding Lazarus and it was concluded that the group develops malware by producing new samples via “multiple independent conveyors.”
Is the Lazarus crew really behind the WannaCry infection?
Experts cannot be 100% positive that the same gang is responsible for the WannaCry ransomware. After all, the possibility of the WannaCry authors to have stolen the Lazarus code remains. On the other hand, however, the code has not been removed from the 2015 backdoor code which tilts the scale a little.
Researchers at Kaspersky Lab are pretty convinced that the WannaCry sample from February this year was, in fact, created by the same people, responsible for the current attack, or by people who had access to the same source code. Also, Mehta is not the only one who has spotted these similarities. Other security researchers, like Matthieu Suiche at Comae Technologies, have also been able to find the connection.
Another interesting fact is that, according to the US intelligence agencies, Lazarus is identified as a North Korean government operation. In fact, about a month ago, Kaspersky Lab presented some evidence linking the attacks on the Bangladesh banks, the Vietnam banks and the SWIFT banking system to Lazarus.