WannaCry ransomware shows 'strong links' to Lazarus: Symantec

By Park Sae-jin Posted : May 23, 2017, 16:57 Updated : May 23, 2017, 16:57


A recent bout of ransomware attacks that infected hundreds of thousands of computers across the world showed "strong links" to Lazarus, a hacking group suspected of being tied to North Korean hackers, according to Symantec, a US-based anti-virus firm.

Experts believe North Korean hackers have been tied to Lazarus suspected of launching cyber attacks on Sony Pictures in 2014 and of hijacking some 100 million dollars from banks in Bangladesh and other countries in 2015 and 2016.

"Similarities in code and infrastructure indicate close connection to (the) group that was linked to Sony Pictures and Bangladesh Bank attacks," Symantec wrote in in a blog, adding tools and infrastructure used in WannaCry have "strong links" to Lazarus.

WannaCry used loopholes in the files sharing system known as SMB (Server Message Block). The ransomware intrudes computers in a form of a worm virus and encrypts all files, leaving users inaccessible to them. Users must pay the hackers in Bitcoins, a digital payment system, to regain control of their computers.

An earlier version of WannaCry was almost identical to the new version used in May, Symantec said.

Analysis of the early WannaCry attacks "revealed substantial commonalities in the tools, techniques, and infrastructure" used in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry, it said.

"The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit," Symantec said.

"The small number of Bitcoin wallets used by (the) first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group."

Experts in Seoul have accused North Korean hackers of demanding Bitcoins in their hacking cases which were carried out in South Korea by using the SMB loophole. Symantec Korea has said that it has found evidence which links North Korea to cyber attacks targeting banks in Bangladesh, Vietnam, Ecuador and Poland.

Lim Chang-wo = cwlim34@ajunews.com

기사 이미지 확대 보기