WannaCry ransomware attack linked to North Korea

Code discovered in the WannaCry worm also has been found in backdoor code used by a hacking group tied to North Korea's government.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
ullstein bild via Getty Images

Security researchers say they've found evidence that suggests a state-sponsored hacking group in North Korea may be behind the global WannaCry ransomware hack.

Neel Mehta, a security researcher at Google, discovered computer code found in an early version of the WannaCry malware was identical to code used by the Lazarus Group, a hacking group linked to the government of North Korea. In a cryptic tweet Monday, Mehta referenced code found in both a backdoor used by the Lazarus Group in 2015 and the WannaCry worm, which has held hundreds of thousands of computers hostage in the largest cyberextortion scheme ever.

However, the overlapping code was removed from later versions, suggesting it was planted to trick researchers into concluding that the Lazarus Group was behind the attack. Researchers at antivirus software maker Kaspersky Lab called that theory possible but improbable.

"For now, more research is required into older versions of WannaCry," Kaspersky Lab researchers wrote in a blog post. "We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure -- Neel Mehta's discovery is the most significant clue to date regarding the origins of WannaCry."

Ransomware is malware that encrypts important files, locking people out of their computers unless they pay up to prevent their entire system from being deleted. The cyberattack has hit more than 300,000 computers in more than 150 countries since it was first detected Friday, a White House adviser said Monday.

Hackers typically demand about $300 in payment via bitcoin, an untraceable digital currency often used on shadowy parts of the internet. If that ransom isn't paid in 72 hours, the price could double. And after a few days, the files are permanently locked.

Hackers could stand to make more than $1 billion if the ransoms are all paid.

Brad Smith, Microsoft's chief counsel, said Sunday in a company blog post the blame for the cyberattack's spread lay with government agencies, which he accused of hoarding software flaws and keeping them secret. Calling the attack a "wake-up call," Smith said that by keeping software vulnerabilities secret from vendors, governments open up users to attacks like WannaCry.

North Korea is no stranger to accusations of cyberwarfare. The US government has concluded that North Korea was behind the break-in of Sony Pictures' networks in 2014, which resulted in the theft of Social Security numbers from 47,000 employees and leaks embarrassing internal documents and emails.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Crowd Control: A crowdsourced science fiction novel written by CNET readers.