North Korea linked to WannaCry attack, as experts say the NHS should have done more to protect itself

The Lazarus Group, resposible for the Sony pictures hack of 2014, suspected of perpetrating WannaCry hack

North Korea has been linked to the recent spate of ransomware attacks which affected large parts of the NHS, among other organisations, recently.

The Lazarus Group, the hacking collective responsible for the Sony Pictures hack of 2014, and an attempt to extort $1bn from Bangladesh Bank in 2016, are thought by many to be behind the recent WannaCry attack. According to widespread reports they are thought to have operated out of China, but to have been working on behalf of North Korea.

Google security researcher Neel Mehta posted circumstantial evidence of the link on Twitter.

He said that he had discovered similarities between WannaCry's code and other software believed to have been created by the Lazarus Group in the past.

Meanwhile, the Center for Internet Security (CIS) in the US told Computing that the NHS could have done more to protect itself from WannaCry, and similar types of attack.

"We have no visibility into NHS Security architecture and practices so we can't make a determination on whether they could have done more," said Steve Spano, CIS President & COO. "CIS has been advised that the attacks exploited known vulnerabilities dating back to March. The attacks could have been prevented by the installation of available patches."

Ryan Kalember, SVP of Cybersecurity Strategy at security vendor Proofpoint, added that the WannaCry software is constantly evolving.

"As of yesterday, two additional variants of WannaCry ransomware had appeared. These appear to be 'patched' versions of the original malware, rather than recompiled versions developed by the original authors. The first variant, WannaCry 2.0(a), pointed its 'kill switch' to a different internet domain - which was also promptly registered and effectively sinkholed, stopping its spread. The second variant, WannaCry 2.0(b), had the kill switch functionality removed, thus enabling it to propagate - but the ransomware payload fails to properly deploy, causing no direct impact to targeted systems.

"That said, Proofpoint has tracked new variants of ransomware emerging every 2-3 days over the last 14 months, and there is no indication that the trend is slowing. It remains critical that all organizations immediately ensure they have the most updated patches deployed and backups ready to restore in the event of a ransomware attack," he stated.