WannaCry ransomware attack possibly linked to North Korea

The ransomware attack that held thousands of computers hostage late last week might be linked to a hacker group with ties to North Korea, researchers have found.

On Monday, Google security researcher Neel Mehta posted a cryptic set of characters on Twitter together with the hashtag #WannaCryptAttribution. Kaspersky Lab researchers then explained that Mehta has posted two similar code samples, one from an early version of WannaCry, and one originating from Lazarus, a hacker group which possibly originates from North Korea.

According to Ars Technica, what Mehta has found is evidence that a February variant of WannaCry shares code with the 2015 version of Cantopee, a backdoor used by Lazarus Group. Furthermore, the fact that WannaCry's code contains a kill switch -- a way to stop the malware from spreading -- indicates that whoever is behind the attack is not (purely) financially motivated.

It's possible that someone is impersonating the group, though Kaspersky claims this is "improbable."

Kaspersky took a good look into the Lazarus Group's activities and posted its findings in April 2017. The group appears to be highly sophisticated and very active; in a blog post, Kaspersky called the scale of the group's operation "shocking."

The evidence tying Lazarus to North Korea, however, is slim, and includes some traces of group's activity originating from the country, as well as a list of targets that includes Sony Pictures (remember The Interview?) and South Korea.

Nothing is certain at this point, and more research will be needed before WannaCry's makers are unmasked. Kaspersky does, however, claim that "Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry."