This is an update to last week Sunday’s Wannacry article.

Last week on Monday, a lot of us were coming into the office in what felt to be a Wednesday morning, after working over the weekend to contain the Wannacry ransomware worm. We are now a week later, and remarkably little has changed.

There have, however, been some developments and some interesting attribution work. Here’s a small update on impact and North Korea attribution, from aggregated sources on the internet.

Decryptor

There is a decryptor available, which, in some cases, might help. See these articles for more information:

Impact update

First of all, in spite of warnings that people all over the internet were not getting their files back, people have kept paying, and the counter was 48.86359565 BTC ($99,448.11 USD) on Monday. The wannacry crew had sent a message to all victims that they needed to pay up.

There’s still little evidence on whether or not people are getting files back, so advice not to pay was economic as it was sensible. There are other crime wares like a Monero miner that have been using the same vulnerability.

The consensus is that we will see the tip of the iceberg, and the vulnerabilities disclosed by Shadow Brokers will lead to more (opportunistic) criminal campaigns.

North Korea link?

Despite the tremendous impact, the attack itself was deemed sloppy and amateurish. Many hypothesized ulterior motives. When we found the code similarities between Wannacry and 2015 Lazarus code, some argued it might be an APT-style “destructive” attack on the West, disguised as a criminal attack.

The jury has been still out on this, with some saying “could be”, some saying “probably”, and some “probably not”. You decide for yourself.

Pointing to sloppy criminals is:

  • hard coded Bitcoin addresses
  • built in hard coded kill switch domain
  • no automated decryption workflow
  • doesn’t provide keys on ransom payment
  • attracts huge amount of attention, way more collateral damage than usual
  • attacks Russian targets
  • why disguising as a “sloppy” attack, and not a good one?

While the links to Lazarus are:

  • code similarities
  • IoC similarities
  • code obfuscation similarities
  • the crew not hiding after all the attention but sending a message

Conclusion

It was a sloppy attack with high impact, either from B league criminals or worse. There needs to be a more plausible narrative surrounding the Lazarus – Wannacry connection, but every day there seems to be more circumstantial evidence. While the operational impact is dying down, the infosec community is vigilant in expectation of more campaigns using Shadow Brokers vulnerabilities.

Further readings you might like:

Cybersleuths unearth more clues linking wannacry to North Korea
MalwareTechBlog

Eward Driehuis

Chief Research Officer
eward.driehuis@securelink.nl