As posted on ‘WannaCry’ ransomware showed traces of North Korean code
For all the damage the "WannaCry" ransomware has done, there’s still one looming, unanswered question: who’s behind it? At last, there might be a clue. Google researcher Neel Mehta has noticed that an early version of WannaCry’s code shares similarities with a February 2015 sample from the Lazarus Group, a North Korea-linked outfit blamed for both the Sony Pictures hack as well as the Bangladesh Bank heist. The code changed between then and now, but it at least raises the possibility that North Korea was involved.
There is a chance that someone borrowed the code, whether out of convenience or as an attempt to throw investigators off the scent. However, experts at Kaspersky argue that a deliberate plant is "improbable" given that the similar code was removed later on. And besides, the presence of kill switches in both original and modified versions of WannaCry supports the notion that these are state-sponsored hackers. As FOX-IT’s Maarten van Danzig explains to Ars Technica, run-of-the-mill criminals rarely include failsafe measures like this — why would they want to stop the money from pouring in? Moreover, the malware doesn’t even bother to automatically check whether or not victims have paid up. If profit was really the motive, the code was exceptionally sloppy.
It’s going to take much more research before experts can pin down WannaCry’s origins, assuming that’s possible. You certainly won’t get a confession from North Korea even if there’s smoking gun evidence of its involvement. However, what’s here at least gives investigators a starting point.
Via: Ars Technica