The ransomware attack that held thousands of computers hostage late last week might be linked to a hacker group with ties to North Korea, researchers have found.
On Monday, Google security researcher Neel Mehta posted a cryptic set of characters on Twitter together with the hashtag #WannaCryptAttribution. Kaspersky Lab researchers then explained that Mehta has posted two similar code samples, one from an early version of WannaCry, and one originating from Lazarus, a hacker group which possibly originates from North Korea.
According to Ars Technica, what Mehta has found is evidence that a February variant of WannaCry shares code with the 2015 version of Cantopee, a backdoor used by Lazarus Group. Furthermore, the fact that WannaCry’s code contains a kill switch — a way to stop the malware from spreading — indicates that whoever is behind the attack is not (purely) financially motivated.
It’s possible that someone is impersonating the group, though Kaspersky claims this is “improbable.”