Over the weekend, the ‘WannaCry‘ ransomware attack reeked havoc over the cyber security practices of nearly 150 countries across the globe. It spread to around 2 lakh out-of-date Windows computers, thus, paralyzing the healthcare and telecom services of the nations. Now, the things are steadily starting to settle down and we all have that nagging question at the back of our mind — Who’s the person/group behind this attack?
Cyber security researchers have managed to curb the major ill-effects of this ransomware attack, during which they have uncovered evidence of the attack being linked to North Korean researchers. This is probably the very first clue and was posted by Google cyber security researcher, Neel Mehta on his Twitter profile earlier in the day. He added the hashtag ‘WannaCryptAttribution’ to make his fellow cyber researchers aware of the propagators of this wide-spread attack.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
The cyber security research team at Kaspersky Labs supports these claims and outlines its findings in an official blog post. They’ve detailed similarities between a segment of code from one of the WannaCry ransomware variants and February 2015 attack sample, which points towards someone extremely notorious. The code is also comparable to an early variant of the WannaCry sample which was leaked in the NSA data dump earlier this year.
Speaking on the same, Kaspersky’s official blog post reads:
We strongly believe the February 2017 sample was compiled by the same people or by people with access to the same source code as the May 2017 WannaCry encryptor used in the May 11th wave of attacks.
There are only some weak connections to the Lazarus Group, a North Korea government-backed outfit but researchers continue to investigate the WannaCry attack for even more evidence against the group. It is a group of hackers that have been held responsible for Sony Pictures hack, as well as the Bangladesh Bank heist. The WannaCry attackers have possibly been spotted as Symantec and other investigators have seen similar connections in the code but nothing is set in stone as of now. In a Cyberloop report, Symantec in a statement said:
While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections.
This is just a preliminary finding from the global cyber security researcher community and can later be termed as a false flag if even stronger evidence to support the involvement of a certain hacker group comes to light. It is highly probable that the attackers behind WannaCry lifted the relevant code segment from an older attack and added to the EternalBlue exploit from the NSA data dump. The Kaspersky researchers, however, believe that they’re close to the truth. They add:
For now, more research is required into older versions of WannaCry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.
The primary doubt, however, among researchers is that profit wasn’t the motive of this attack as the ransomware doesn’t check who has paid the amount asked, then why? Why did the attackers decide to choke the functioning of entire nations over the weekend? It is possible that we may have the answers soon enough or not at all!