To be absolutely clear, this is not a claim that North Korea was behind Friday's ransomware wave, and the code similarities are not in the malware from last week's attacks. Instead, at the moment, this is just a decent lead in the investigation into the attack's origins.
The first one to point out the similarities in the code between a February 2017 WannaCry sample and the Lazarus Group backdoor from 2015 was Neel Mehta, a threat intelligence researcher at Google. In particular, Mehta highlighted the "crypter," the ransomware bit that locks the files. Kaspersky Lab then analyzed the code and confirmed the similarities on Monday.
"We believe this might hold the key to solve some of the mysteries around this attack," the Kaspersky Lab researchers wrote. "One thing is for sure—Neel Mehta's discovery is the most significant clue to date regarding the origins of WannaCry." Matthieu Suiche, founder of cybersecurity company Comae Technologies, also highlighted apparent similarities.
In theory, the 2015 code could have been simply copied by whoever is behind the WannaCry attacks, as Kaspersky Lab researchers noted too.
Researchers from cybersecurity Symantec also pointed to several links, although caveated that the connections were "weak."
"We discovered that earlier versions of WannaCry in April and early May that weren't widely distributed, unlike the recent outbreak, were found on systems shortly after being compromised with known Lazarus tools. However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems. In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections," the company said in a statement.
Since Friday, the wave of WannaCry ransomware has affected around 200,000 victims in 150 countries, according to European law enforcement agency Europol. Those targets include a myriad of UK National Health Service hospitals, a Spanish telco, Chinese universities, and the Russian Interior Ministry.
On Monday, thousands more victims in Asia announced they had been infected. The start of the work week also led to a sharp uptick in the number of ransom payments sent to the attackers. Whereas the figure was hovering around $30,000 on Sunday, several bitcoin addresses associated with the attacks now hold over $57,000.
Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.