Researchers Find 'Best Clue' as to Origins of Ransomware

Code in an early version of WannaCry has a link to North Korea
By Rob Quinn,  Newser Staff
Posted May 16, 2017 1:36 AM CDT
Updated May 16, 2017 6:38 AM CDT

(Newser) – Security researchers say a leading suspect in the massive ransomware attack is a familiar one: North Korea. Researchers at Google, Symantec, Kaspersky Lab, and Comae Technologies say an early version of the WannaCry software contains code similar to that used by the Pyongyang-linked Lazarus group in a 2015 cyberattack, the Wall Street Journal reports. Researchers say it could be the case that the attackers simply copied the code, or included it so that North Korea would be blamed for the attack, though the fact that it was removed from the final version of the software, which has hit at least 200,000 computers worldwide, seems to rule out the latter theory, the Guardian reports.

story continues below

The copied code isn't proof on its own, but "this is the best clue we have seen to date as to the origins of WannaCry," Kaspersky researcher Kurt Baumgartner tells Reuters. Whoever the culprits are, they made some amateurish mistakes that severely limited their take from the scheme, experts tell Wired. The errors include a "kill switch" that a British security researcher was able to activate for $11, and flaws that experts believe make it impossible for the criminals to know who has paid the ransom. "From a ransom perspective, it’s a catastrophic failure," says Cisco security researcher Craig Williams. The attack is believed to have brought in just $55,000, a fraction of the millions that smaller attacks have netted. (Read more cyberattack stories.)

We use cookies. By Clicking "OK" or any content on this site, you agree to allow cookies to be placed. Read more in our privacy policy.
Get the news faster.
Tap to install our app.