North Korea ‘Highly Likely’ Behind Global WannaCry Ransomware Attack Says Symantec
Symantec says that before the recent outbreak occurred, a near identical version of WannaCry was used in targeted attacks in the months of February, March, and April of this year. The only difference Symantec observed was the method of propagation.
"Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," Symantec states in a blog post. "Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."
That latter statement is an interesting one, as it points to WannaCry having roots in North Korea but suggests it was not a political cyberattack. Instead, Symantec is essentially pointing the finger at North Korean hackers looking to make a quick buck.
"These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe starting on May 12," Symantec added.
The WannaCry ransomware drew national headlines after it infected tens of thousands of computers in dozens of countries within a matter of hours. It seemed to be particularly intent on spreading to hospitals in the UK, some of which had to shut down and turn away patients as doctors and staff were locked out of their systems.
WannaCry was quickly neutralized by a security researcher who stumbled upon a kill switch. That played a role in the limited success of WannaCry, which has only collected $100,000 so far, most of which came from ransoms paid by Windows 7 users.