Analysis of early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.

These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe starting on May 12. The similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks.

Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.

Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus. Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus). There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

The attackers left behind several tools on the victim’s network that provided substantial evidence into how WannaCry spread. Two files, mks.exe and hptasks.exe, were found on one affected computer. The file mks.exe is a variant of Mimikatz (Hacktool.Mimikatz), a password-dumping tool that is widely used in targeted attacks. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe.

The spread of WannaCry by hptasks.exe was a two-stage process. In stage one, when run, hptasks can be passed a target list of IP addresses as an argument. When given this command, hptasks reads previously stolen credentials from a file called cg.wry and uses them to connect to every computer in the set of IP address ranges. All connection attempts are logged into the log.dat file. If a successful connection is made to a remote computer, and there is no file with a .res extension in either the Admin$, or C$\Windows folders, then hptasks.exe will copy the files listed in Table 2 onto the remote computer.

After hptasks.exe executes WannaCry on the remote computer, the second stage begins. hptasks can pass several arguments to the WannaCry installation on the remote computer, including a new set of IP addresses. If WannaCry is run with these IP addresses as arguments, it does not encrypt the files on the local computer. Instead, it connects to the IP addresses passed, accesses the Admin$ and C$ share on those computers using the credentials embedded in the resource section in a file called c.wry, and then remotely encrypts those files.

In addition to hptasks.exe and mks.exe, five other pieces of malware were discovered on a second computer on the victim’s network. Three of these tools are linked to Lazarus. Two were variants of Destover (Backdoor.Destover) a tool used in the Sony Pictures attacks. The third was Trojan.Volgmer, malware that has previously been used by Lazarus in attacks against South Korean targets.

Beginning on March 27, at least five organizations were infected with a new sample of WannaCry. There does not appear to have been a pattern to those targeted, with the organizations spanning a range of sectors and geographies. These attacks revealed further evidence of links between those behind WannaCry and the Lazarus Group.

Two different backdoors were used to deploy WannaCry in these attacks: Trojan.Alphanc and Trojan.Bravonc. Alphanc was used to drop WannaCry onto computers belonging to at least two of the known victims, with a slightly modified version of the malware deployed to each victim.

Alphanc shares a significant amount of code with Backdoor.Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks (see Appendix B: Shared Code). In fact, Symantec investigators believe Alphanc is an evolution of Duuzer. Duuzer has also previously been linked to the activity of Backdoor.Joanap and Trojan.Volgmer, which have both been previously linked to Lazarus.

Symantec researchers were able to establish a detailed timeline of the activity of Alphanc on one of the victim’s systems, from the time it got on the system to when WannaCry was deployed.

This month, a new version of WannaCry was released which incorporated the leaked “EternalBlue” exploit that used two known vulnerabilities in Windows to spread the ransomware to unpatched computers on the victim’s network and also to other vulnerable computers connected to the internet.

The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused widespread disruption, both to organizations infected and to organizations forced to take computers offline for software updates. The discovery and triggering of a kill switch by security blog MalwareTech halted its spread and limited the damage.

The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions (“wcry@123”, “wcry@2016”, and “WNcry@2ol7”) indicating that the author of both versions is likely the same group.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300).

In addition, WannaCry uses similar code obfuscation to Infostealer.Fakepude, malware that has previously been linked to Lazarus; and Trojan.Alphanc, malware that was used to spread WannaCry in the March and April attacks and which has been linked to Lazarus.

The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group. These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks. The leak of the EternalBlue exploit was what allowed the attackers to turn WannaCry into a far more potent threat than it would have been had they still been relying on their own tools, since it bypassed many of the steps the attackers previously had to take, removing both the need to steal credentials and copy it from computer to computer.