Internet of Wilderness of Mirrors

Why is WannaCry?

thaddeus t. grugq
May 19, 2017 · 6 min read

The evidence is mounting up that the WannaCry worm was developed by the Lazarus group (tied to North Korea.) I was initially skeptical of the attribution, it didn’t feel right. But there are stronger links now, and there is a plausible narrative that fits the available facts. I’m willing to accept Lazarus group as the source. A North Korean APT ransomware using US APT exploits released by a Russian APT. (Who says international cyber cooperation needs more work?)

If it is true that DPRK released the WannaCry worm, why did they do it? As a money making scheme it is inept. It seems half-baked in many ways — no ability to handle a mass infection event, a poorly thought out “kill switch” — this is a very weird move for a national level cyber threat actor. Still, the available public evidence is pointing that way...

  1. Code that is unique to the Lazarus backdoor and the C2 protocol of the WannaCry worm is identical. At a minimum, this suggests access to Lazarus group source code.
  2. Symantec discovered Lazarus linked tools and early variants of WannaCry colocated on the same computer.
  3. Russian and Spanish telcos were early victims, followed by the UK’s national healthcare. If this was a Russian group they never would have hit Russian systems — point for anyone not-Russia (e.g. Lazarus).
  4. The addition of the EternalBlue exploit was a straightforward cut and paste job from the FuzzBunch Python scripts. It was a late addition, with earlier variants apparently propagating via Lazarus tools and very basic SMB remote execution on open shares.
  5. After the high profile attack, rather than go to ground (like any sensible hackers would do), the WannaCry authors have contacted victims to let them know they get decrypted if they pay. This suggests that they are not concerned about GCHQ, NSA and FSB hunting them down.
  6. Sloppy, wonky, broken code that works on basically only one target variant but is somehow also a subtle false attribution attempt? That doesn’t make a lot of sense. Why not go big if you gonna lay the blame on someone else?

Capability, Opportunity, Intent

Evaluating a potential threat means looking at their capabilities, intent and opportunity to perform the attack. Anyone would have the capability to write crappy ransomware, and the bar for opportunity is set to “has internet connection”…so, what could be the intent? This was the big problem with the Lazarus group attribution. They seem to lack a reason to make shitty ransomware to collect $300 bucks a pop. Why not just use the SWIFT malware and attacks they’ve been using for years to keep stealing millions?

Then the evidence started to come in. For example, despite the huge public attention and the massive law enforcement (and SIGINT) resources that are being thrown at the authors of this attack, they still seem to be operating rather than trying to cover their tracks and vanish (like anyone with this much heat on them would).

The authors were still busy fixing bugs when it exploded beyond their ability to handle the infection rate, and the impact on high profile targets made it too hot to handle for anyone with anything to lose…

The SMB injector only works against Windows 7 and Windows 2008 R2. It is broken against other targets, such as Windows XP. Very poor development work, or an early stage of development before the big unveiling.

Indeed, Microsoft have confirmed that they haven’t seen any XP infections in the wild.

Schtop! This ransomware is not ready yet!

The several variants released in short time; the poor performance (only infecting Windows 7 and 2008 R2); the missing infrastructure to handle support and payment to decryption workflow; the weird kill switch; the slow spread of an earlier variant using a shitty ancient propagation technique… This is software still in development that escaped.

Here’s what I think happened. The Lazarus group (or someone with their source code) starts branching out into ransomware. They’re planning on some small slow below the radar spread, low payment ($300), probably only hitting a few hundred machines over a few weeks. It requires essentially manual install inside a LAN and then luck to hit open file shares that allow remote execution.

After toying with this for a week or so, they replace the “SMB open share exec” infection routine with “ETERNALBLUE” because, hey, it’s also an SMB infection vector. Maybe they read “11 ways to turbocharge your ransomware” and “Number 8: Automate, don’t manually install” really resonated with them?

And then, the wheels fell off. It explodes out of control, beyond the infection volume they can handle. To make matters worse, the damn thing hits high profile targets (hospitals) in a western country that generates a flood of media coverage.

WannaCry developers explain the events

Wake up call? More like sales call.

The infosec industry was quick to respond. Small groups of researchers worked to understand and mitigate against the attack, and frothy marketing departments went into overdrive talking about ransomware. It is embarrassing and shameful how so many companies reveal themselves for the ambulance chasers that they are.

Geopolitical coincidence

My initial skepticism of the North Korean attribution was based on a lack of Intent. There is no obvious reason that they would want to do such a low volume cash generation activity (they steal millions, not hundreds.) On the other hand, the timing of the attack and the immediate (and predictable) backlash against the NSA suggested a political motivation for “the cyber worm based on NSA cyber hacking cyber weapons!!!1!1”

Multiple people had the same thought. The politics of this was way too convenient. The day after the first wave of media attention the Russians (via their ShadowBrokers attribution front) issued a particularly lengthy post distancing themselves from the attack and blaming North Korea (among other things.) Very convenient timing, and very fast attribution — blaming DPRK for a [beta quality] ransomware worm that used NSA exploits (released by ShadowBrokers.) A false flag attack with the intent of damaging morale and capability at the NSA seemed much more plausible.

As the evidence pointing towards Lazarus group got stronger, it became clear that there’s no reason to attribute the ransomware code and campaign to Russia just because it is extremely politically useful for them (cui bono attribution). They could simply have provided some hints, persuasion or guidance to Lazarus group. That allows the Russians to reap the political benefits, and Lazarus group to take the fall like a patsy. Everyone wins! So I’m holding out this scenario as a possibility. This just feels right.

Things to come

Since there is a high likelihood that WannaCry is a nation state group that has moved into ransomware, they aren’t likely to go away. A normal hacker group would be laying low to avoid capture, but these guys have no such concerns. As such, I predict that they’ll learn a great deal from what has been (for them) the WannaCry Debacle. They will add additional exploits from the NSA toolkit released by the Russians. They will raise the price on the ransom – $300 is way too low.


Seriously, a worm escaping out of the target environment is literally what happened with Stuxnet — developed by top US and Israeli offensive tool developers. Do you really think the imbeciles from Lazarus group could do any better?

Support more analysis like this.

Update: Symantec has released a blog post with more links to Lazarus group and a better timeline.

thaddeus t. grugq

Written by

Information Security Researcher :: ::