# WannaCry — Links to Lazarus Group URL: https://www.msuiche.com/posts/wannacry-links-to-lazarus-group/ Date: 2017-05-15 Author: Matt Suiche --- #### Potential​ links to North Korea have been found. **Read More**: [Part 1](https://www.msuiche.com/posts/wannacry-the-largest-ransom-ware-infection-in-history/) — [Part 2](https://www.msuiche.com/posts/wannacry-new-variants-detected/) — Part 3 — [Part 4](https://www.msuiche.com/posts/wannacry-decrypting-files-with-wanakiwi-demos/) > [](https://twitter.com/msuiche/status/864729652216115200) _Code similarities are shared between a February 2017_ [_sample_](https://www.virustotal.com/fr/file/3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9/analysis/) _of WannaCry and 2015 Contopee sample (_[_previously attributed last year to Lazarus Group by Symantec_](https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks)_) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been_ [_shared by Kaspersky too_](https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/)_._ **UPDATE**: [Symantec also released few hours later an article saying they also discovered similarities.](https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware) **UPDATE2:** [TheShadowBrokers just released a statement on the recent attacks.](https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition) This would implies WannaCry may have been developed by Lazarus Group. > [](https://twitter.com/neelmehta/status/864164081116225536) #### **Feb 2017, WannaCry sample:** * SHA2: `[3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9](https://www.virustotal.com/fr/file/3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9/analysis/)` * MD5:`[9c7c7149387a1c79679a87dd1ba755bc](https://www.virustotal.com/en/file/3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9/analysis/)` #### Feb 2015, Contopee sample: * SHA2: `[766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc](https://www.virustotal.com/fr/file/766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc/analysis/)` * MD5: `[ac21c8ad899727137c4b94458d7aa8d8](https://www.virustotal.com/en/file/766d7d591b9ec1204518723a1e5940fd6ac777f606ed64e731fd91b0b4c3d9fc/analysis/)` ### Comparison It looks like I am the first one to have broken the news after interpretating what Neel said, followed by Kaspersky 15 minutes later. > [](https://twitter.com/msuiche/status/864179805402607623) Original Twitt which was posted to confirm _Neel Mehta’s twitt._ > [](https://twitter.com/craiu/status/864182466092904450) ![image](./images/1.jpeg#layoutTextWidth) Appendix 1 — Initial disassembly code between the two functions — Assembly version of Appendix 3 ![image](./images/2.jpeg#layoutTextWidth) Appendix 2 — Identical arrays shared by the two functions in Appendix 1. Here is an actual snippet of the array itself shared between the two samples: `03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00 44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00 68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00 FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0 08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0 10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0 2B C0 2C C0 FF FE 00 00` ![image](./images/3.jpeg#layoutTextWidth) Appendix 3 — Identical decompiled code between the two versions. ![image](./images/4.jpeg#layoutTextWidth) Appendix 4— Shared initialization parameters with caller. The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money. If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware. This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos. In the meantime, a third kill switch appeared in the wild `_ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com_` — the fact it contains `lmao`would mean, if the above attribution is correct, that the attacker is purposely sending multiple messages: * A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”. * Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem. > [](https://twitter.com/i0n1c/status/864231458348695552)