While researchers across the world are trying their best to contain the damage by world's biggest ransomware attack - WannaCry - researchers at Symantec Corp believe the ransomware is “highly likely” from a hacking group associated with North Korea.
Due to the similarities in the tools, codes and infrastructure used by the hackers, the cyber security company believes tit could be the doing of Lazarus, a North Korean hacking group that was also behind cyber attacks on Sony Pictures and Bangladesh Central Bank, stealing more than $81 million.
"Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," Symantec wrote in a blog post.
North Korea has apparently dismissed the reports. "It is ridiculous," Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reporters. "Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign."
Before the global outbreak on May 12, an earlier version of WannaCry - Ransom.Wannacry - was used in a small number of targeted attacks in February, March, and April. This previous version was almost identical to the version used in May 2017, with the only difference in the method of propagation.
Though Symantec believes the attack came from a nation, fundraising appears to be a primary goal. Vikram Thakur, Symantec’s security response technical director, said in an interview, "Our confidence is very high that this is the work of people associated with the Lazarus Group because they had to have source code access. (But) we don't think that this is an operation run by a nation-state."
The company also said, "Despite the links to Lazarus, the Wanna Cry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."
Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the state.
WannaCry used an exploit stolen from the US National Security Agency and also adopted the “EternalBlue” exploit, which made the attack far more potent threat. Up to 300,000 computers in 150 countries were hit by the WannaCry worm, which locks systems and demands payment in Bitcoin to return control to users. Banks, hospitals and state agencies were among the victims of the hackers who exploited vulnerabilities in older versions of Microsoft computer operating systems.