WannaCry: Whodunit?

That’s the err… $61,614.02 question!

The worldwide WannaCry ransomware attack has been making the news since Friday afternoon when it began to run ramped at hospitals in the UK, causing manufacturing plant shut downs across Europe propagating and encrypting everything it could get it’s hands on from ATM’s to marketing display panels.

WannaCry infects unpatched Windows based computers and immediately encrypts 176 different file types appending them with .WCRY to the end of the file name. Once this is complete, the user receives a taunting message that demands roughly $300 US in bitcoins in ransom be paid in order to decrypt and release the files. After 3 days, the payment demanded doubles and if payment is not made within 7 days, WannaCry threatens to delete the files permanently creating a sense of urgency for victims to pay.

It sounds like a real criminal money maker, doesn’t it? With current reports suggesting outbreaks in more than 150 countries and possibly 300,000 plus computers infected and at roughly $300 a ransom, you’d think the perpetrators of this global heist would be making off like bandits, but apparently, they’re not.

Analysis of the three Bitcoin addresses that are hard-coded into the ransomware indicates that at the time of writing, a total of 35.47151311 bitcoin ($61,614.02 US Dollars) had been paid in 235 separate transactions.

That’s the great thing about bitcoin, anyone can view all transactions so it’s possible to check how many people have actually paid the ransom so far.

You can have a look for yourself at the following links:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Or you can just check out this handy real time graph prepared by Elliptic:

So we’ve established that whoever did it, isn’t getting rich, but clearly, with the sheer amount of damage done and chaos that resulted and continues to result from the attack, it’s important to figure out who is behind it all. That’s what law enforcement and security researchers have been up to all weekend and it appears that they are making some progress.

Earlier today, Google Security researcher Neel Mehta (@neelmehta)  posted this tweet along with the hashtag #WannaCryptAttribution

The security research community immediately jumped on the clues he provided and determined that an earlier version of WannaCry, from February 2015, shared some code with a backdoor program known as Contopee which has been used extensively by a hacker group known as the Lazarus Group that is largely believed to be operating under the control of the North Korean government.

Kaspersky provided the screenshot below that demonstrates the similarity between the two ransomware samples. The shared code has been highlighted.

Source: https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/

Symantec conducted their own analysis and they agree:

  • Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB.  The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed. 

  • Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants. 

While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds.

Source: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

Matt Suiche, who has provided outstanding analysis and commentary these past few days on all things WannaCry, has also independently confirmed the similarities in the source code.

His full post on attribution is available here.

And this isn’t the first time that the Lazarus Group has been found to reuse code. BAE Systems earlier linked the hack of Sony Pictures in 2014 with a Bangladesh bank of $81 million in 2016 and concluded in this report that the malicious code used across the attacks was so similar the most likely conclusion was that both attacks were the work of the same hacking group.

So did they or didn’t they?

Well… it’s too early to say definitively that it was the Lazarus Group and North Korea, however, it would make a lot of sense. They have a documented history of committing cybercrimes against financial institutions with the primary goal of stealing money, rather than for purposes of espionage or for strategic military advantages like other nation-state actors and circumstantial evidence like that above is beginning to emerge.

Also… frankly, with the rather convenient hard-coded kill switch included, the sloppy execution of launching an attack on a Friday afternoon as well as the rushed patches to subsequent variants we’ve seen emerge over the past two days, the attack overall just seems to lack the style and sophistication we’ve come to expect from other hacking groups such as Fancy Bear (APT 28).

If attribution to the Lazarus Group is eventually validated, it would be the first nation state developed ransomware attack that I’m aware of and likely the first time that a hostile nation has leveraged offensive capabilities from the Equation Group release as well.

Whoever did though, they’ve certainly proven themselves to be ingenious and insidious cybercriminals in terms of the development of their attack vector, but rather incompetent at making money. At least with this attempt.

Leave a Reply