WannaCry - Links to Lazarus Group
Contents
Potentialâ links to North Korea have been found.
Read More: Part 1âââPart 2âââPart 3âââPart 4
Collaborating with multiple partners is key to solve and defend against global cyber security issues. w/ @youseftv https://t.co/pxkuYupgId— Matt Suiche (@msuiche) May 17, 2017
Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.
UPDATE: Symantec also released few hours later an article saying they also discovered similarities.
UPDATE2: TheShadowBrokers just released a statement on the recent attacks.
This would implies WannaCry may have been developed by Lazarus Group.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598— Neel Mehta (@neelmehta) May 15, 2017
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
Feb 2017, WannaCry sample:
- SHA2: 3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9`
- MD5:9c7c7149387a1c79679a87dd1ba755bc`
Feb 2015, Contopee sample:
- SHA2: 766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc`
- MD5: ac21c8ad899727137c4b94458d7aa8d8`
Comparison
It looks like I am the first one to …
Read More: Part 1âââPart 2âââPart 3âââPart 4
Collaborating with multiple partners is key to solve and defend against global cyber security issues. w/ @youseftv https://t.co/pxkuYupgId— Matt Suiche (@msuiche) May 17, 2017
Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.
UPDATE: Symantec also released few hours later an article saying they also discovered similarities.
UPDATE2: TheShadowBrokers just released a statement on the recent attacks.
This would implies WannaCry may have been developed by Lazarus Group.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598— Neel Mehta (@neelmehta) May 15, 2017
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
Feb 2017, WannaCry sample:
- SHA2: 3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9`
- MD5:9c7c7149387a1c79679a87dd1ba755bc`
Feb 2015, Contopee sample:
- SHA2: 766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc`
- MD5: ac21c8ad899727137c4b94458d7aa8d8`
Comparison
It looks like I am the first one to …
IoC
3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9
766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc
9c7c7149387a1c79679a87dd1ba755bc
ac21c8ad899727137c4b94458d7aa8d8
766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc
9c7c7149387a1c79679a87dd1ba755bc
ac21c8ad899727137c4b94458d7aa8d8