Ransomware attacks show strong links to Lazarus group

Tuesday, 23 May 2017, 11:09 am
Press Release: Symantec

WannaCry: Ransomware attacks show strong links to Lazarus group

Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks

Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank.

Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked Eternal Blue exploit that caused WannaCry to spread quickly across the globe starting on May 12.

Summary of links
· Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk wiping tool used in the Sony Pictures attacks.

Advertisement - scroll to continue reading

· Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.

· Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.

· Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus).

· There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

ends

Advertisement - scroll to continue reading

Did you know Scoop has an Ethical Paywall?

If you're using Scoop for work, your organisation needs to pay a small license fee with Scoop Pro. We think that's fair, because your organisation is benefiting from using our news resources. In return, we'll also give your team access to pro news tools and keep Scoop free for personal use, because public access to news is important!

Go to Scoop Pro Find out more

Find more from Symantec on InfoPages.

Business Headlines | Sci-Tech Headlines

BUSINESS, SCIENCE & TECH

Business Canterbury: Urges Council To Cut Costs, Not Ambition For City

The Business Canterbury submission addresses concerns over a 'rates hump' and the need for the Council to maintain affordability while managing cost pressures.

Wellington Airport: On Track For Net Zero Emissions By 2028

This progress is a highlight of the airport’s annual Kaitiakitanga report released today, outlining efforts to support the environment, people and communities.

Landcare Research: ANZAC Gall Fly Release Promises Natural Solution To Weed Threat

A Kiwi-Australian collaboration with a difference is underway this ANZAC Day week on Bikini Atoll in the Marshall Islands. The Chief of Quarantine in the Marshall Islands, Ms Silver Wase, says chromolaena was identified as a top priority for the Marshall Islands at a stakeholder workshop held in the country in December 2022.

NZ Anti-Vivisection Society: Auckland Rat Lovers Unite!

On World Day for Animals in Labs, NZAVS is launching a new program to rehome rats bred or used for science with the University of Auckland.

University of Canterbury: $1.35 Million Grant To Study Lion-like Jumping Spiders

A University of Canterbury animal behaviour expert is part of a global team launching pioneering research into the predatory behaviour of jumping spiders.

Federated Farmers: Government Ends War On Farming

Today’s changes to unworkable and expensive regulations mark the end of the war on farming, says Federated Farmers freshwater spokesperson Colin Hurst. "These impractical rules have been a complete nightmare since the day they were introduced and farmers will be pleased to see the back of them," Hurst says.

Join Scoop Pro

Submit News

Become a Member