WannaCry Ransomware: Potential Link to North Korea
Contents
On Friday, 12 May 2017, a large cyber-attack using WannaCry ransomware was launched, infecting
more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency
bitcoin in 28 languages. WannaCry used the leaked EternalBlue exploit from the NSA, in order to
spread itself throughout Windows networks.
Using Intezer’s Code Intelligence™ technology, we were able to find strong links to other malware
families, believed to be developed by North Korean hackers, or known to be used in attacks against
South Korean organizations. In this document, we will share some of the details that led us to
connect this large-scale ransomware attack to these malware families.
By extracting thousands of code-pieces (“genes”) from WannaCry samples and identifying them in
our Global Genome Database, which contains billions of code pieces of both malware and legitimate
applications, we have found several pieces of code from a rare version of a known library. The
original, more common library is “unzip 0.15 Copyright 1998 Gilles …
more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency
bitcoin in 28 languages. WannaCry used the leaked EternalBlue exploit from the NSA, in order to
spread itself throughout Windows networks.
Using Intezer’s Code Intelligence™ technology, we were able to find strong links to other malware
families, believed to be developed by North Korean hackers, or known to be used in attacks against
South Korean organizations. In this document, we will share some of the details that led us to
connect this large-scale ransomware attack to these malware families.
By extracting thousands of code-pieces (“genes”) from WannaCry samples and identifying them in
our Global Genome Database, which contains billions of code pieces of both malware and legitimate
applications, we have found several pieces of code from a rare version of a known library. The
original, more common library is “unzip 0.15 Copyright 1998 Gilles …
IoC
435e3e191abb9cd0ff2c49447177ff2c1f3e8c9ba6d5050ada9a2faec4e58c79