A British-led international investigation into the origins of the Wanna Cry ransomware has come to the same conclusion as the National Security Agency and a number of private firms: North Korea was behind the attacks.
The Wanna Cry ransomware held hundreds of thousands of computers hostage in May by encrypting files until users paid for a decryption key.
According to the Friday BBC report, Britain’s National Cyber Security Centre headed a multinational inquiry into the attacks. Ultimately, the group determined that a North Korean government-led hacking group known as Lazarus was behind the attacks.
The Washington Post reported earlier in the week that the NSA had reached similar conclusions with “moderate” confidence.
{mosads}Lazarus is most famous for the attack on Sony Pictures in protest of a movie that depicted the assassination of Kim Jong-un. More recently, the group has been tied to an international string of digital bank robberies that netted hundreds of millions of dollars.
The Lazarus theory was first floated by a researcher at Google who noticed that certain, unique computer code overlapped between Lazarus tools and Wanna Cry.
That theory was backed up by researchers at Kaspersky Lab and Symantec, who also found that internet addresses used in the infrastructure of the attacks and techniques to disguise the true purpose of the code also matched. Symantec found evidence that early versions of Wanna Cry were installed on systems that also had other Lazarus malware installed.
The malware interrupted government systems in Russia, hospitals in Britain and a telecom in Spain.
The damages could have been far worse, if not for coding mistakes. A likely failsafe meant to prevent the malware from being researched in safe, non-internet connected environments required it to contact a nonexistent website and receive notification that the site did not exist before completing installation.
But security firm Kryptos Logic registered the website early in the attack, preventing Wanna Cry from holding even more computers hostage. In congressional testimony on Thursday, the company said more than 10 million systems had contacted the site trying to find out whether to complete installation.