the item’s unclear who is actually responsible for the global cyberattack of which targeted around 300,000 machines in 150 countries. Businesses are still reeling by the fallout, along with government agencies around the entire world are investigating.
Security researchers have documented similarities between the WannaCry code along with malware created by Lazarus group, a hacking operation of which has been linked to North Korea. The code similarities were discovered by Google researcher Neel Mehta on Monday. Google declined to comment.
The security firm Symantec also found links between Lazarus along with WannaCry. the item discovered early versions of WannaCry on systems of which had been compromised by the Lazarus group’s tools. These versions were different than the ransomware of which spread on Friday. the item is actually unclear whether the Lazarus group put the ransomware on those systems, or someone else did.
“We have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems,” a Symantec spokesperson said in a statement to CNNTech. “While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections.”
Kaspersky Lab, a security company, has also published the similarities. The Lazarus group was linked to the 2014 hack of Sony Pictures along with attacks on banks around the entire world.
Related: Police say don’t pay cyberattack ransom
The latest observations are still a long way by determining whether North Korean hackers were behind the recent global cyberattack, nevertheless they demonstrate how researchers go about finding who is actually to blame. One way is actually to investigate the code along with compare the item to samples of which known hackers have used inside past.
According to Amanda Rousseau, malware researcher at security firm Endgame, the item’s difficult to catch cybercriminals. Further, the item will be hard to find patient zero, or the first victim of which kicked off the spread of the virus.
The WannaCry ransomware took computers hostage by encrypting their files along with requiring payment to unlock them. the item leveraged a Windows vulnerability leaked in a trove of hacking tools believed to belong to the NSA. The ransomware mostly affects businesses along with large organizations of which use a Windows tool of which enables file-sharing.
Microsoft released a patch for the vulnerability in March.
Rousseau says the malware code indicates there are at least two different parties responsible for the item because there are two pieces of the attack of which are coded differently. The ransomware itself was not hard to reverse engineer, she said, along with indicates of which a less experienced person wrote the item.
Multiple government agencies are committed to tracking down the perpetrators.
Related: Attack sparks debate on when spy agencies should disclose cyber holes
Finding out who is actually responsible is actually called “attribution.” along with the item is actually very hard to do. Researchers look for certain identifiable pieces of code or clues on how the item was executed, such as text strings or site registrations. nevertheless there are tools of which hackers use to throw investigators off their tracks. Often, malware code is actually publicly available, or the item can be purchased on digital black markets.
According to Michael Flossman, researcher at security firm Lookout, examining the victims can help narrow down the perpetrators — nevertheless inside case of WannaCry, hundreds of thousands of machines were affected along with there weren’t a ton of similarities in who was hit.
The hackers responsible have not received much in return for their efforts. While the ransomware took down hospitals along with critical infrastructure, the item’s made less than $60,000 in ransom. Security researchers along with government agencies have advised businesses not to pay the ransom.
Researchers are piecing together where WannaCry came by, along with some insight into how hackers used the leaked Microsoft vulnerabilities could be found on the dark web.
Related: Why Russia’s cyber defenses are so weak
The dark web is actually like a second layer of the internet beyond what average people use every day. the item can only be accessed via the Tor browser, which gives users a cloak of anonymity along with makes the item impossible for anyone else to see their activity.
Cybersecurity firm CYR3CON collects information by dark web sites along with uses the item to understand cybersecurity threats. In mid-April, the firm identified a conversation on a common Russian forum of which discussed using the leaked NSA exploits to launch ransomware attacks against hospitals.
“The thing most interesting was a conversation of which mentioned the specific Windows exploit,” Paulo Shakarian, cofounder along with CEO of CYR3CON, told CNNTech. “the item mentioned there were tens of thousands of systems of which could be targeted, along with many of them were inside medical industry.”
Though there were many dark web conversations around the tools after they were released in April, This particular specific thread talked about a ransomware attack strikingly similar to WannaCry.
the item’s impossible to know who posted the item, along with the item is actually not evidence of which people who participated inside thread were responsible. nevertheless law enforcement along with researchers can use This particular information to see what future attacks might look like so companies along with users can defend themselves against hacks.
“the item can give insight into what malicious hackers are looking to target, what tools they will use, along with what is actually the established expertise,” Shakarian said.
sy88pgw (San Francisco) First published May 15, 2017: 4:23 PM ET