23 May 2017, India:
Software and Security providing company Symantec is confident that WannaCry ransomware has roots in North Korea. The company stated, North Korean group called Lazarus Group is the prime suspect for the global havoc.
North Korea has apparently dismissed the reports. “It is ridiculous,” Kim In-Ryong, North Korea’s deputy ambassador to the United Nations, told reporters. “Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign.” It is widely believed that the Lazarus Group worked out of China, but on behalf of the North Koreans.
Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank, Symantec Corporation stated in a blog post.
Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe starting on May 12. (Image- Long Room)