On 12 May 2017, as the WannaCry ransomware spread across computer networks across the world, a variety of explanations also began to worm their way through the information security community. Who was responsible for the WannaCry campaign? And what was the objective? Ransomware suggested it was the work of cybercriminals, although, given the sheer scale of infections and disruption, some commentators suspected the hand of a nation state. Despite relentless analysis from the security research community that has brought fragments of new information to the fore, no consensus has yet been reached on an attribution for the campaign.
One of the most recent theories put forward rests on a possible connection between WannaCry and the Lazarus Group, an actor that has previously been linked with several high-profile network intrusions and assessed as highly likely to have some association with the Democratic People’s Republic of Korea (DPRK).
Analysis has indicated that WannaCry samples from February 2017 contained a small section of code identical to those used in previous Lazarus campaigns. At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered.
While malware may initially be developed and used by a single actor, this does not mean that it will permanently remain unique to that actor. Malware samples might be accidentally or intentionally leaked, stolen, sold, or used in independent operations by individual members of a group. It is therefore important to consider other factors, such as the consistency of an operation with previous activity attributed to an actor.
Digital Shadows has, therefore, applied the Analysis of Competing Hypothesis (ACH) technique to the information currently available through sources. ACH uses a weighted inconsistency algorithm to assign numeric values - weighted by the assessed reliability and relevance of each data point - to represent how consistent the available evidence is with a given hypothesis.
While the aim here was not to provide a conclusive attribution for the WannaCry campaign, this structured analytical technique allows us to assess the reliability and relevance of the data presented thus far, as well as make some tentative assessments over the type of actor most likely to have been behind last week’s attacks. As such, we compared four hypotheses for the purposes of this exercise. That the campaign was the work of:
Using a mixture of primary and secondary reporting, as well as assessments from Digital Shadows analysts, we have included a collection of the most salient data points to have emerged at the time of writing. As well as the widely-discussed use of the DOUBLEPULSAR backdoor dropper, ETERNALBLUE exploit, and SMB vulnerability, the latter for propagation, we have included several other pieces of evidence to drive our assessment. These are presented in the ACH table below, though some of the more significant points include:
Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. While there were numerous data points that were consistent with this assessment, a few stand out:
These inconsistencies are not errors we normally associate with a sophisticated cybercriminal operation. The Carbanak (AKA Anunak) organised criminal group, in comparison, are known for conducting highly-targeted, lucrative, and efficient operations relying on the strategic use of social engineering attacks and network intrusions that more resemble the tactics used by Advanced Persistent Threat (APT) groups.
H3 and H4, which posit that the campaign was the work of a state-affiliated actor, also contain inconsistencies:
Such tactics would have been more consistent with the activities of a sophisticated criminal outfit or a technically-competent nation-state actor.
It is entirely possible that new information will come to light in future that further supports, or even discredits, some of the hypotheses proposed in this exercise. While attribution may be exciting and fulfil our insatiable desire to put a face to the crime, perhaps what is more important in this instance is reviewing what lessons we can learn from the WannaCry campaign.
Article by Digital Shadows analyst team.