Intezer-WannaCry.pdf (925 KB)

Intezer analyzed WannaCry samples and found code-level overlaps with malware families associated in the report with North Korean hackers or attacks on South Korean organizations. The ransomware outbreak used EternalBlue to spread across Windows networks, while older samples showed TOR command-and-control and SMB worm capability. Intezer identified shared code with Joanap and Brambul, including an SMB brute-force behavior with hardcoded passwords similar to Brambul, and also cited code previously seen only in Lazarus group malware. The report concludes that reuse across WannaCry, Lazarus, Joanap, and Brambul strongly suggests the tools were written or modified by the same author, making North Korean involvement highly probable according to its evidence.