Virulent WCry ransomware worm may have North Korea’s fingerprints on it

Enlarge / Identical code found in WCry and 2015 malicious backdoor could be a smoking gun that provides crucial clues about the origin of Friday’s ransomware worm. (credit: Jo Christian Oterhals)

A researcher has found digital fingerprints that tie the WCry ransomware worm that menaced the world on Friday to a prolific hacking operation that previously generated headlines by attacking Sony Pictures, the Bangladesh Central Bank, and South Korean banks.

The link came in a cryptic Twitter message from Neel Mehta, a security researcher at Google. The tweet referenced identical code found in a WCry sample from February and an early 2015 version of Cantopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped almost a terabyte’s worth of data from Sony Pictures in 2014, and siphoned almost $1 billion from the Bangladesh Central Bank last year by compromising the SWIFT network used to transfer funds.

Over a matter of hours on Friday, Wcry used leaked National Security Agency-developed code to attack an estimated 200,000 computers in 150 countries. Also known as WannaCry, the self-replicating malware encrypted hard drives until victims paid ransoms ranging from $300 to $600. Infected hospitals soon responded by turning away patients and rerouting ambulances. Businesses and government agencies all over the world quickly disconnected computers from the Internet, either because they were no longer working or to prevent them from being hit. The outbreak was largely contained because the attackers failed to secure a domain name hard-coded into their exploit.

Read 10 remaining paragraphs | Comments