WannaCry: Ransomware attacks show strong links to Lazarus group

2017-05-22 • Symantec •

https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

#WannaCry #Lazarus

Thumbnail for WannaCry: Ransomware attacks show strong links to Lazarus group

Symantec assessed that the tools and infrastructure used in WannaCry showed strong links to Lazarus, while cautioning that the technical evidence did not establish a specific nation-state motivation. Before the May 12 global outbreak, earlier WannaCry variants were used in targeted February, March, and April 2017 attacks that spread with stolen credentials rather than EternalBlue. The February victim network contained Lazarus-linked malware including Trojan.Volgmer and two Backdoor.Destover variants, while later attacks used Trojan.Alphanc, described as an evolution of Backdoor.Duuzer, and Trojan.Bravonc, which shared C2 infrastructure and code traits with Duuzer, Destover, Joanap, and other Lazarus-linked tools. Symantec also highlighted shared code between WannaCry and Backdoor.Contopee, similar archive passwords across early and global WannaCry versions, and the May addition of EternalBlue as the change that turned a limited targeted tool into a fast-spreading global ransomware outbreak.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	9c7c7149387a1c79679a87dd1ba755bc	2017-05-15	2025-02-04
HASH	ac21c8ad899727137c4b94458d7aa8d8	2017-05-15	2025-02-04
HASH	9a5fa5c5f3915b2297a1c379be9979f0	2017-05-22	2023-10-13
HASH	9f177a6fb4ea5af876ef8a0bf954e37…	2017-05-22	2020-03-09
HASH	fa6ee9e969df5ca4524daa77c172a1a7	2017-05-22	2018-09-24
IPv4	84.92.36.96	2017-05-22	2018-09-06
IPv4	87.101.243.252	2017-05-22	2018-09-06
IPv4	196.45.177.52	2017-05-22	2018-09-06
IPv4	184.74.243.67	2017-05-22	2018-09-06
HASH	a1ffca7ba257b4eca7fe7d1e78bac623	2017-05-22	2017-05-22
HASH	55dd9b0af2a263d215cb4fd48f16231a	2017-05-22	2017-05-22
HASH	2ba20e39ff90e36086044d02329d43a…	2017-05-22	2017-05-22
HASH	92b0f4517fb22535d262a7f17d19f7c…	2017-05-22	2017-05-22
HASH	fcf3702e52ae32c995a36f7516c662b7	2017-05-22	2017-05-22
HASH	f27cf59b00dacdd266ad7894a1df0894	2017-05-22	2017-05-22
HASH	3c86fc0a93299a0d0843c7d7ff1a137…	2017-05-22	2017-05-22
HASH	436195bd6786baae8980bdfed1d7d7d…	2017-05-22	2017-05-22
HASH	e117406e3c14ab8e98b27c3697aea0b6	2017-05-22	2017-05-22
HASH	043e0d0d8b8cda56851f5b853f244f6…	2017-05-22	2017-05-22
HASH	21307227ece129b1e12797ecc2c9b6d9	2017-05-22	2017-05-22
HASH	1d4ec831292b611f1ff8983ebd1db5d4	2017-05-22	2017-05-22
HASH	ae8e9ff2dc0ec82b6bae7c4d978e3fe…	2017-05-22	2017-05-22
HASH	8386379a88a7c9893a62a67ea3073742	2017-05-22	2017-05-22
HASH	0f246a13178841f8b324ca54696f592b	2017-05-22	2017-05-22
HASH	41e9d6c3374fd0e78853e945b567f93…	2017-05-22	2017-05-22
HASH	0489978ffa3b864ede646d0470500336	2017-05-22	2017-05-22
HASH	ca8dc152dc93ec526e505cf2a173a63…	2017-05-22	2017-05-22
HASH	2a99bcb5d21588e0a43f56aada4e2f3…	2017-05-22	2017-05-22
HASH	8a4d2baa8cf519c7a9b91f414a0a9d8…	2017-05-22	2017-05-22
HASH	f774c0588da59a944abc78d5910be407	2017-05-22	2017-05-22
HASH	e8c6acc1eb7256db728c0f3fed5d23d7	2017-05-22	2017-05-22
HASH	fc079cefa19378a0f186e3e3bf90bde…	2017-05-22	2017-05-22
HASH	d0ce651a344979c8cd11b8019f8e4d7e	2017-05-22	2017-05-22
HASH	7f8166589023cd62ae55a59f5fca607…	2017-05-22	2017-05-22
HASH	91146ee63782a2061701db3229320c1…	2017-05-22	2017-05-22
HASH	6f0338af379659a5155b3d2a4f1a1e92	2017-05-22	2017-05-22
HASH	511778c279b76cac40d5d695c56db4f5	2017-05-22	2017-05-22
HASH	86759ce27d0fe0b203aaa19d4390a416	2017-05-22	2017-05-22
HASH	524f8f0f8c31a89df46a77c7a30af5d…	2017-05-22	2017-05-22
HASH	3bc855bfadfea71a445080ba72b26c1c	2017-05-22	2017-05-22
HASH	a7ea1852d7e73ef91efb5ec9e26b4c4…	2017-05-22	2017-05-22
IPv4	203.69.210.247	2017-05-22	2017-05-22