{ "id": "6929058b-34ff-4e0b-96a8-8eab6de4dd0f", "created_at": "2026-04-06T01:28:59.549946Z", "updated_at": "2026-04-10T03:38:20.225202Z", "deleted_at": null, "sha1_hash": "cdcc3445509e4e31db94a5627df46ea92ad6ec37", "title": "WannaCry ‘Highly Likely’ Work of North Korean-linked Hackers, Symantec Says", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69312, "plain_text": "WannaCry ‘Highly Likely’ Work of North Korean-linked Hackers,\r\nSymantec Says\r\nBy Ionut Arghire\r\nPublished: 2017-05-23 · Archived: 2026-04-06 00:53:49 UTC\r\nNorth Korea-linked Lazarus Hacking Group is “Highly Likely” to be Responsible for the Global\r\n“WannaCry” Ransomware Attack, Symantec Says\r\nAnalysis of the tools and infrastructure used in the WannaCry ransomware attacks reveal a tight connection\r\nbetween the threat and the North Korean hacking group Lazarus, Symantec claims.\r\nThe global outbreak on May 12 drew the world’s attention to WannaCry, but the threat had been active before that,\r\nthe security researchers say. Over 400,000 machines have been hit by WannaCry to date, although not all had been\r\ninfected, courtesy of a kill-switch domain registered shortly after the attack began.\r\nThe first WannaCry variant, however, emerged in February, and security researchers already discovered a possible\r\ntie between it and the Lazarus group, although some suggested such a connection was far-fetched.\r\nNorth Korea has denied involvement in the ransomware outbreak.\r\nThe Lazarus group (also known as BlueNoroff) was previously associated with a number of devastating attacks,\r\nincluding the Sony Pictures hack in 2014 and the $81 million cyber heist from Bangladesh’s account at the New\r\nYork Federal Reserve Bank in 2016. Recently, Kaspersky suggested that the group could be the most serious\r\nthreat to banks.\r\nAdvertisement. Scroll to continue reading.\r\nSymantec now says that tools previously associated with the group were found on computers infected with\r\nWannaCry. Before the May 12 attack, the ransomware was used in a small number of targeted campaigns in\r\nhttps://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says\r\nPage 1 of 3\n\nFebruary, March, and April, and the variants are almost identical, save for the method of propagation (the recent\r\nversion uses the NSA-linked EternalBlue exploit).\r\nAccording to Symantec, these attacks show “substantial commonalities in the tools, techniques, and infrastructure\r\nused by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind\r\nthe spread of WannaCry.”\r\nDespite that, however, “the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more\r\ntypical of a cybercrime campaign,” the security researchers admit. Prior to the May 12 campaign, WannaCry was\r\nusing stolen credentials to spread across infected networks and didn’t employ the leaked EternalBlue exploit.\r\nAfter the first WannaCry attack in February, experts discovered three pieces of malware linked to Lazarus on the\r\nvictim’s network, including the Volgmer Trojan and two variants of the Destover backdoor (the disk-wiping tool\r\nused in the Sony Pictures attacks).\r\nMoreover, the researchers discovered that WannaCry used the Alphanc Trojan for distribution in the March and\r\nApril attacks, and that this malicious program is a modified version of the Lazarus-linked Duuzer backdoor.\r\nSymantec also found the Bravonc backdoor, which has similar code obfuscation as WannaCry and Fakepude info-stealer (also linked to Lazarus), and the Bravonc Trojan, which used the same IP addresses for command and\r\ncontrol (C\u0026C) as Duuzer and Destover, both linked to Lazarus.\r\nFinally, there is the shared code between the previous WannaCry ransomware version and the Lazarus-linked\r\nContopee backdoor.\r\nThe February WannaCry attack hit a single organization but compromised over 100 computers within two minutes\r\nafter the initial infection. A variant of the Mimikatz password-dumping tool was used for compromise, with a\r\nsecond tool used to copy and execute WannaCry on other network computers using the stolen passwords.\r\nIn addition to these tools, the security researchers found five other pieces of malware on a second computer on the\r\nvictim’s network, and three of them were linked to Lazarus: Volgmer and the two variants of Destover.\r\nA new sample of WannaCry emerged in late March, and five organizations were infected with it. The Alphanc and\r\nBravonc backdoors were employed in these attacks, with the former used to drop WannaCry onto the\r\ncompromised computers of at least two victims. Alphanc is believed to be an evolution of Duuzer, a sub-family of\r\nthe Destover wiping tool used in the Sony attacks.\r\nThese attacks hit organizations spanning a range of sectors and geographies, but Symantec found evidence of the\r\ntools used in the February attacks on the computers compromised in March and April as well.\r\nThe Bravonc Trojan was used to deliver WannaCry to the computers of at least two other victims, the security\r\nresearchers say. The malware connects to a C\u0026C server hosted at the same IP address as the IP address used by\r\nDestover and Duuzer samples, and which was also referred to in a Blue Coat report last year.\r\n“The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a\r\nlimited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused\r\nhttps://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says\r\nPage 2 of 3\n\nwidespread disruption, both to organizations infected and to organizations forced to take computers offline for\r\nsoftware updates,” Symantec explained.\r\nThe security firm also notes that the passwords used to encrypt the ZIP files embedded in the WannaCry dropper\r\nare similar across versions (“wcry@123”, “wcry@2016”, and “WNcry@2ol7”) suggesting they come from the\r\nsame actor. Further, the use of a small number of Bitcoin addresses in the initial version and its limited spread\r\nindicates that it wasn’t a ransomware family shared across cybercrime groups.\r\n“Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between\r\nWannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has\r\npreviously been linked to Lazarus. One v\r\nariant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by\r\nWannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to\r\nOpenSSL where there are over 300),” Symantec says.\r\nThe small number of earlier WannaCry attacks provides sufficient evidence to link the ransomware to Lazarus,\r\nSymantec says, given the significant use of tools, code, and infrastructures previously associated with the group.\r\nThe company also notes that leak of the EternalBlue exploit was what turned the malware into a far more potent\r\nthreat than it would have been if it continued to use own tools.\r\nRelated: North Korea Denies Role in Global Cyberattack\r\nRelated: WannaCry Does Not Fit North Korea’s Style, Interests: Experts\r\nRealted: North Korea Possibly Behind WannaCry Ransomware Attacks\r\nSource: https://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says\r\nhttps://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says" ], "report_names": [ "wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438939, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdcc3445509e4e31db94a5627df46ea92ad6ec37.pdf", "text": "https://archive.orkl.eu/cdcc3445509e4e31db94a5627df46ea92ad6ec37.txt", "img": "https://archive.orkl.eu/cdcc3445509e4e31db94a5627df46ea92ad6ec37.jpg" } }