Researchers from security firm Symantec presented additional evidence which further builds the case that WCry is linked to Lazarus
Security Researchers have found additional digital footprints which connect this month’s WCry ransomware attack to the same hacking group which attacked Sony Pictures in 2014 and also the Bangladesh Central Bank last year.
Also last week, a researcher at Google had recognized an identical code originated in a WCry sample from February attack and also an early 2015 version of Cantopee, a backdoor used by Lazarus Group, a hacking group which has been operational since 2011.
Furthermore, fingerprints linked Lazarus Group to hacks that wiped off almost a terabyte worth of data from Sony Pictures and also siphoned a reported $81 million from the Bangladesh Central bank last year. Researchers have stated that the Lazarus Group carried out those hacks on the behalf of North Korea.
Researchers from security firm Symantec gave additional evidence which supplements the case that the ransomware bug WCry is closely linked to Lazarus Group. The evidence includes the discovery of three pieces of malware which were previously linked to Lazarus Group that were left out on a network first hit by WCry, in February. The malware included Trojan Volgmer and two variants of Backdoor.Destover, the disk wiping tool used in Sony Pictures attacks.
Trojan Alphanc, last used to spread WCry in attacks that took place in March and April attacks was a modified version of Backdoor.Duzzer, which has previously been linked to Lazarus as well. Bravonc, another Trojan used to install WCry in attacks on computers, used the same IP addresses for command and control as Duuzer and Destover.
In a blog post by Symantec researchers, they wrote, “The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions ("wcry@123", "wcry@2016", and "WNcry@2ol7") indicating that the author of both versions is likely the same group.
The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.”