Home Security Kaspersky trial balloon: ransomware came from North Korea

Kaspersky trial balloon: ransomware came from North Korea

Undeterred by the fact that its statement about a new version of the WannaCry ransomware without a kill switch proved to be false, Kaspersky Lab is ploughing ahead with new speculation, this time claiming that the malware could have originated in North Korea.

The WannaCry creators used a vulnerability in Microsoft's Windows operating system, and an exploit developed by the NSA and leaked by a group called Shadow Brokers in April, to create ransomware that also had a worm element and spread on its own to vulnerable machines.

The malware was also given the name WannaDecrypt0r.

Kaspersky floated the idea of North Korea's involvement in a blog post, basing it on a finding by Google researcher Neel Mehta that similarities exist between an early WannaCry code sample from February and one from an advanced persistent threat spread by a group named Lazarus in 2015.

The Lazarus group has been said to be responsible for stealing from a Bangladesh bank, attacking Sony Pictures Entertainment, and also for an attack on South Korea's online industry in 2013.

kaspersky claim

Kaspersky says the similarities between the two code samples can be observed in this screenshot, with the shared code highlighted.

With law enforcement officials in many countries co-operating on trying to track down the perpetrators, Kaspersky's speculation found some takers, even though the security vendor described it in the following way:

"Is it possible this is a false flag? In theory anything is possible, considering the 2015 backdoor code might have been copied by the WannaCry sample from February 2017.

"However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the WannaCry encryptor. We believe that the theory (it is) a false flag although possible, is improbable."

But it is commonly known that malware code is re-used by various groups; one recent example was the re-use of code from the Mirai botnet to create another malware strain known as Persirai.

Kaspersky pointed out that a researcher from the UAE-based Comae Technologies had confirmed Mehta's findings.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.