Security firm finds more clues to WannaCry link to North Korea

Spread the love

Security firm Symantec has released additional information suggesting that the WannaCry ransomware is associated with the Lazarus group, which has ties to North Korea. The malware was previously attributed to the country, but not all experts were convinced.

In a publication, Symantec writes that the new findings “make it very likely that the Lazarus group is responsible for the spread of WannaCry.” Still, the attack itself would bear the marks of the work of cybercriminals rather than of a state. The company bases its conclusion on similarities in the tools, techniques and infrastructure used.

For example, the first WannaCry infection identified by Symantec occurred in February, infecting the systems of a single organization and quickly spreading the malware to more than 100 computers. In doing so, the attackers left behind some tools on the network, which were also used by the Lazarus group. These are the Destover Trojan, which was used in the attack on Sony, and the Volgmer Trojan, which was previously used against South Korean targets.

More attacks with WannaCry versions took place in March and April. Symantec writes that it has not been able to detect a pattern in the chosen targets. Two backdoors would have been used to access the systems, of which the so-called Alphanc backdoor contains a lot of code from a Lazarus backdoor. As a result, the security company comes to the conclusion that Alphanc is a further developed version of that backdoor.

Less details are known about the second backdoor, Bravonc. Symantec writes that it connects to the same command and control server as the Destover Trojan. In addition, the source code of Bravonc and Destover has been made unreadable in the same way.

The new findings follow previous evidence of a connection between WannaCry and the Lazarus Group. These were found by Symantec, Kaspersky and BAE Systems. Initially, it was about shared code in the ransomware and malware of the Lazarus group. Following that release, security researchers expressed doubts about the findings, as WannaCry doesn’t appear to be a sophisticated campaign. Whether Symantec’s current findings find more acclaim remains to be seen.

North Korea last week announced that it was not responsible for the infections with the WannaCry ransomware, which spread around the world earlier this month.

You might also like