Common features of WannaCry ransomware and attack on the website of the Polish Financial Supervision Authority

Do WannaCry's attacks on KNF and ransomware have something in common? It turns out that yes.

On Monday, May 15, 2017, a Google researcher posted on Twitter indications of a potential link between WannaCry's data encryption attacks , which infected tens of thousands of computers around the world, and the malicious program attributed to the cybercriminal group Lazarus, which stands behind a series of powerful attacks on government organizations, the media and financial institutions. The largest operations of this group concern attacks on the Sony Pictures studio in 2014 , the Central Bank of Bangladesh in 2016 and further burglaries to financial organizations in 2017 - also in Poland .

A researcher from Google pointed to a sample of WannaCry, which appeared already in February 2017 - two months before the last wave of encryption attacks. Experts from the Global Research and Analysis Team (GReAT) of Kaspersky Lab have analyzed this information, identified and confirmed the code convergence between the sample indicated by the said researcher and the malicious programs used by the Lazarus group in the 2015 attacks.

According to researchers from Kaspersky Lab, this similarity may be part of the false flag technique, which aims to bring researchers and law enforcement agencies to the field. On the other hand, analyzing the February sample and comparing it with the latest versions of WannaCry revealed that the Lazarus group code traces were removed from the malware used in the cryptic attacks that started last Friday. This may indicate that people behind the WannaCry campaign have tried to cover their tracks.

Although this similarity is not a clear proof of a strong link between WannaCry's attacks and the Lazarus group, it can lead researchers to new indications that will allow to shed some more light on the origin of the WannaCry pest, which until now remains unknown.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.