The New York Times is reporting that much of the code and tools used for Wannacry are similar to those used by North Korea's state-sponsored Lazarus Group, with similarities to code used to attack Sony Pictures in 2014, for example.
According to a rating agency A.M. Best, the the recent WannaCry ransomware attack could be a benefit to the insurance industry if it leads to better-crafted policies with clear language that provide the desired protection for policyholders. This earlier version was nearly identical to the version used in May 2017, with the only difference the method of propagation.
"The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group", a blogpost by Symantec Security Response team reads. Symantec was able to determine that hacking tools used by the Lazarus Group, the same group that the hacked Sony pictures, were likely used to install early versions of Wanna Cry.
Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.
Finally, WannaCry and Lazarus-linked Backdoor.Contopee contain shared code. The hackers behind WannaCry also used a rare encryption method and an equally unusual technique to cover their tracks. Within two minutes of the initial infection, more than 100 computers in the organization were infected. The tool can scan for the EternalBlue exploit which was used in WannaCry, and also scan for a bunch of other such malware tools such as EternalChampion, EternalRomance and EternalSynergy.
First Alert 5 Forecast: Scattered Thundershowers Return
WEDNESDAY: Cloudy skies and scattered, widespread rain showers will develop, with a mild high temperature of 68 degrees. A FIRST ALERT for anyone camping on Sunday night because the chance for showers and storms looks to rise.
In its blog post, Symantec noted: "The incorporation of EternalBlue transformed WannaCry from a risky threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years". So MalwareTech bought the domain name himself, hoping to use it to track WannaCry as it spread.
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was "barely functional" and spread widely only because of the large number of networks and computers which failed to upgrade security and were vulnerable to the self-replicating "worm".
He claimed that the Lazarus Group was known for borrowing code from other malware, so any links are tentative.
Other digital crumbs linking the North Korean group to WannaCry include a tool that deletes data that had been used in other Lazarus attacks.
Earlier this week, cybersecurity experts said that the WannaCry ransomware, which has hit computer networks in 150 countries around the globe, may have been launched by Pyongyang or people trying to frame North Korea. "The cipher suite in both samples has the same set of 75 different ciphers to choose from", Symantec said. A researcher at Google and researchers at Kaspersky Lab found that identical computer code had been used to design Lazarus tools and Wanna Cry.