Code similarities indicate WannaCry ransomware may have been developed by North Korea-linked Lazarus Group

Researchers have said WannaCry, the malware behind Friday’s wide-spread cyber-attack, may have links to a North Korean hacking group, as NHS trusts began to recover from the disruption caused by the incident.

Google security researcher Neel Mehta first suggested a link with North Korea on Monday when he posted code on Twitter that was found both in an earlier version of WannaCry and in code used in 2015 by a group linked to North Korea’s government.

‘Significant clue’

Other firms, including Kaspersky Lab, Symantec and Matt Suiche of UAE-based Comae Technologies confirmed the code appeared to match.

“Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” Kaspersky said in an advisory. “We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry.”

The code found by Mehta was contained in a version of WannaCry from February of this year and a 2015 backdoor used by the hacking group, known as Lazarus Group.



The US government has accused Lazarus and the North Korean government of instigating a 2014 hack on Sony Pictures, while some security researchers say the group was involved in the theft of $81 million (£63m) from Bangladesh’s central bank last year.

Lazarus is also thought to have been behind a disruptive 2013 attack on South Korean broadcasters and banks.

NHS disruption

“Lazarus is operating a malware factory that produces new samples via multiple independent conveyors,” Kaspersky wrote.

Other security firms said the code similarities didn’t necessarily indicate any North Korean involvement WannaCry, with FireEye saying they weren’t strongly suggestive of a link.

North Korea’s mission to the United Nations didn’t immediately respond to a request for comment.

The attack has affected at least 200,000 systems in 150 countries since Friday, according to figures released by Europol over the weekend, affecting the NHS amongst other large European organisations.

In England 47 NHS trusts reported problems at hospitals, with 13 affected in Scotland. No issues were reported in Wales or Northern Ireland.

The BBC said its research suggested 16 of the English trusts were still experiencing issues as of Monday, but found the number of hospitals diverting patients from A&E decreased from seven on Sunday to two on Monday.

Find out about the second wave of WannaCry on page 2