Kaspersky researchers have found evidence that linking North Korea to WannaCry ransomware attack that has infected more than 300,000 machines in 150 countries since Friday. The group details a segment of the code used in both early case and a February 2015 sample attributed to Lazarus Group, which have identified as a North Korea-run hacking operation.
“We strongly believe the February 2017 sample was compiled by the same people,” Kaspersky writes, “or by people with access to the same source code as the May 2017 WannaCry encryptor used in the May 11th wave of attacks.”
One some level, it’s hard to know the person who behind this ransomware attack. WannaCry behaves like standard criminal ransomware, and before finding this, there was no reason o suspect a nation state behind it. This kind of information is needed speculative, and it’s reasonable that the WannaCry authors lifted the relevant code from a North Korea sample just like they lifted the EternalBlue code from the NSA.
It is still clue toward the origin of one of the most damaging ransomware internet have ever seen.