Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search

 

Ransomware attacks show strong links to Lazarus group

WannaCry: Ransomware attacks show strong links to Lazarus group


Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks

Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank.

Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked Eternal Blue exploit that caused WannaCry to spread quickly across the globe starting on May 12.

Summary of links
· Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk wiping tool used in the Sony Pictures attacks.

· Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.

· Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.

· Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus).

· There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

ends

© Scoop Media

 
 
 
Business Headlines | Sci-Tech Headlines

 

21, 22, 23 December: Air NZ Workers Vote To Strike

Last week union members voted overwhelmingly in favour of industrial action in response to the company’s low offer and requests for cuts to sick leave and overtime. More>>

ALSO:

24/7: National Geohazards Monitoring Centre Opens

For the first time, New Zealand will have 24-7 “eyes on” monitoring of the four perils: earthquake, tsunami, landslides and volcanic activity. More>>

ALSO:

EU Wine Exports: Yealands Fined For "Unprecedented Offending"

Yealands Estate Wines has pleaded guilty to “unprecedented offending” under the Wine Act 2003 and has copped a $400,000 fine. More>>

ALSO:

Discussion Paper: Govt To Act On Unfair Commercial Practices

“I’ve heard about traders who have used aggressive tactics to sell products to vulnerable consumers, and businesses that were powerless to stop suppliers varying the terms of their contract, including price.” More>>

ALSO:

'Considering Options' On Tip Top Ownership: Fonterra Drops Forecast Milk Price

Fonterra Co-operative Group Limited today revised its 2018/19 forecast Farmgate Milk Price range from $6.25-$6.50 per kgMS to $6.00-$6.30 per kgMS and shared an update on its first quarter business performance. More>>

ALSO: