Researchers Find 'Best Clue' as to Origins of Ransomware

Code in an early version of WannaCry has a link to North Korea
By Rob Quinn,  Newser Staff
Posted May 16, 2017 1:36 AM CDT
Updated May 16, 2017 6:38 AM CDT
A customer walks by a notice about ransomware at CGV theater in Seoul, South Korea, Monday, May 15, 2017.   (AP Photo/Lee Jin-man)
camera-icon View 1 more image

(Newser) – Security researchers say a leading suspect in the massive ransomware attack is a familiar one: North Korea. Researchers at Google, Symantec, Kaspersky Lab, and Comae Technologies say an early version of the WannaCry software contains code similar to that used by the Pyongyang-linked Lazarus group in a 2015 cyberattack, the Wall Street Journal reports. Researchers say it could be the case that the attackers simply copied the code, or included it so that North Korea would be blamed for the attack, though the fact that it was removed from the final version of the software, which has hit at least 200,000 computers worldwide, seems to rule out the latter theory, the Guardian reports.

The copied code isn't proof on its own, but "this is the best clue we have seen to date as to the origins of WannaCry," Kaspersky researcher Kurt Baumgartner tells Reuters. Whoever the culprits are, they made some amateurish mistakes that severely limited their take from the scheme, experts tell Wired. The errors include a "kill switch" that a British security researcher was able to activate for $11, and flaws that experts believe make it impossible for the criminals to know who has paid the ransom. "From a ransom perspective, it’s a catastrophic failure," says Cisco security researcher Craig Williams. The attack is believed to have brought in just $55,000, a fraction of the millions that smaller attacks have netted. (Read more cyberattack stories.)

My Take on This Story
Show results  |