Hamish May 16, 2017 10:02 AM

My guess is that this was just some noob hashing together various pieces of code that they found lying around the web.

M4n_in_Bl4ck May 16, 2017 10:07 AM

I don’t think it’s North Korea. They are asking for too little money to make me feel like this is state sponsored. If it’s hitting larger targets like NHS, they wouldn’t offer to decrypt for as little as $300.

Sean May 16, 2017 11:00 AM

The fact that they have included a kill-switch in their own code is very questionnable. Cybercriminals tend to do not care (at all) about consequences. Here, it seems they decided to keep control over their own cyberweapon, probably thinking they would not be able to measure all the consequences before launching their attack.

Have you ever seen attackers with such (relative) sense of responsability ?

There is one thing that I am sure: they aren’t scriptkiddies.

Sean May 16, 2017 11:27 AM

We’ve taken over NHS computers and major engineering operation components.

Sounds horseshit.

ramriot May 16, 2017 11:35 AM

Unlikely this is an organised entity, less so a nation state actor.

1/ They launched a moderately successful campaign with stolen public exploits, but failed to automate the ransom collection and key distribution system. The entity is having to do it manually, one victim at a time.

2/ They leave in a static plaintext domain kill switch in the code.

3/ When 2/ is discovered they release a patched version with relevant code hexed out NOT recompiled.

4/ The new version has no kill switch but it also now fails to encrypt files properly while still spreading.

Nope, this is a perhaps a single individual’s first major attack who only marginally understands his art.

Dr. Hapgood May 16, 2017 11:48 AM

What if the NSA is the origin of this malware attack? With Trump attacking the intelligence community for finding Russian meddling in the election, the NSA fears for its funding. So they turn to ransomware exploiting the vulnerability they kept secret for so long to generate some much-needed revenue.

Moonbeom Park May 16, 2017 11:51 AM

There have been many hacking accidents cases by North Korea (7.7 DDoS, 3.4 DDoS, Nonghyub Bank, Dark Seoul, Kimsuky, Korea nuclear power plant, Sony Pictures Entertainment, INTERPARK, and many incidents that can not be disclosed). And we have a lot of objective grounds to judge the hacking incidents as hacking by North Korea. For example, APIs, communication methods, C&C, commands, strings, shell codes, function branches, protocol structures, annotated strings, IP and User Agent inform left on the server. However, there is a lack of objective grounds to associate WannaCry Ransomware with North Korea. Compared with the past hacking cases by North Korea, there is no problem even if there is no basis.

dragonfrog May 16, 2017 11:52 AM

The thing that gets me is just how stupid the “killswitch” is – if that was its intent.

The whole existence of ransomware is supported by cryptography – strong file encryption, public key crypto to allow the attackers to offer something in exchange for the ransom money, everything about bitcoin.

And yet they didn’t think to use cryptography to stop the defenders from activating their killswitch? For gawd’s sake, don’t just check for the existence of a domain, download the message there, decrypt it with a public key, and see if it comes out to the killswitch message. The defenders won’t have the private key to create that killswitch.

How can you make such devastating crypto-ransomware, and still be so bad at thinking about how cryptography can help you?

aaaaatchoum May 16, 2017 12:07 PM

of course… and Russia decided the outcome of the 2016 presidential election… and the NSA did nothing wrong.

Cynic In Chief May 16, 2017 12:19 PM

This is almost certainly more fake news from the New York Times. As the other commentors pointed out, it’s very ameaturish, but not in the way that North Korea would do it. Somebody bought an exploit online and integrated it with their current ransomware system. Like the first virus, they didn’t have a clue how fast it would spread or who it would hit.

Sean May 16, 2017 12:40 PM

The thing that gets me is just how stupid the “killswitch” is – if that was its intent.

Or well designed, if what happened followed exactly their expectations. A security expert (and worst, a gang of security experts) would probably have the necessary knowledge to estimate how long it would take to leverage this kill-switch, whereas they would also know how easy it is to launch another wave of infection.

The biggest problem I see with attribution when it comes to nation-state actors is that they would probably use their best sociological and psychological skills to fool everyone, in addition to their cutting-edge technical skills.

Dirk Praet May 16, 2017 12:44 PM

From the WaPo article

“The provenance of the underlying vulnerability is not of as much concern to me,” Mr. Bossert said, stepping around the delicate question of the N.S.A.’s role.

Of course it’s of no concern to him. They already knew that. Now if this were a Hollywood movie about a biological attack by terrorists, who would the audience be most likely to cast the blame on:

1) The terrorists
2) The secretive government agency that had developed the lethal agent
3) The private and public sector officials who despite all warnings for budgetary and other reasons failed to exercise due diligence in taking the necessary precautions
4) The organisation that was tipped off by the government agency and even had developed a vaccine for the agent but withheld said vaccine for a certain class of patients until the attack had taken place
5) All of the above

Without 2, 3 and 4, there would not have been a terrorist attack. Reducing the issue to identification of whoever is behind WannaCry does not solve the underlying problem and in essence is nothing but political theater to divert attention away from the establishment individuals and entities that allowed it to happen in the first place. Singling out North Korea (without any concrete proof) kinda fits perfectly into this narrative.

JasonR May 16, 2017 12:56 PM

@Thomas_H – No, Microsoft had that patch available for all paying Windows XP exteneded support customers. NHS decided to neither upgrade WinXP nor continue to pay for extended support. They rolled the dice and lost.

Microsoft was crystal clear when Windows XP public/free support would end, and even extended it for a time. This was a failure of NHS IT/management, plain and simple.

If an organization really has to keep WinXP around, they need to lock down all removable media and I/O ports (USB, CD/DVD, etc.), disable user-managed WiFi, and lock it down to a network with zero Internet access and very restricted off-network access (to the precise servers necessary).

de La Boetie May 16, 2017 1:12 PM

NHS Digital have said they made the patch available to NHS Trusts on 27th April. So somehow the NHS as an organisation had got the patch.

As mentioned above, the politicians are furiously intent on security theatre and dodging obvious (but justified) bullets. But, those bullets haven’t gone away, they’re being fired from machine guns built up during the many years when attack has trumped defence.

The “funniest” thing is the empty assurances that there is “no evidence” that patient data has been compromised. I’d take pretty short odds that it has been stolen some long time since.

We’re also supposed to be reassured that the govt. is now spending £1.9bn on the lavishly funded National Cyber Security Centre who have been doing retrospective hand-wringing. Meanwhile funding for security audits & improvements on critical infrastructure and open source software, is essentially zero. It was an independent security researcher who nobbled the domain and restricted the spread, not the NCSC. The politicians tell us that the NCSC advised the NHS previously about this obviously awful situation – neglecting that many many other people have done so over the years, for free.

There’s also the obvious conflict of interest that the NCSC are part of GCHQ, who’s mission, along with the politicians, appears to be offensive, including to its own population.

Nor do the UK have anything equivalent of the Vulnerabilities Equity Process (granted that that seems toothless). In any case, this vulnerability was made available via leaked NSA attack tools.

Who? May 16, 2017 1:40 PM

Maybe off-topic, as it is not strictly related to the authorship of WannaCry… does the attack rate of WannaCry have changed in the last hours?

Now it seems to spread very quicky. It may be just a change in the algorithm used by MalwareTech.

Tony Pelliccio May 16, 2017 1:59 PM

If they did it’s pretty much a terror attack at this stage. Maybe Pyongyang will be a glowing parking lot sooner than later.

Marcel May 16, 2017 2:01 PM

Kill Switch? I always hear Kill Switch, but it looks much more like a sandbox detection done amateurishly wrong.

The manual key distribution (if there is a key distribution at all, it seems they forgot (“forgot”?) about that too) also is amateurish at best.

AJ May 16, 2017 2:14 PM

The DNS lookup probably wasn’t intended to be a killswitch, but a way to detect if the code was being run inside a sandbox. This article at Ars Technica by the guy who found and registered the domain explains the theory.

Sean May 16, 2017 3:26 PM

Not really convincing, IMHO. Unless, it’s been observed the malware self-destructs.

Gerard May 16, 2017 3:40 PM

@ Marcel,

“Kill Switch? I always hear Kill Switch, but it looks much more like a sandbox detection done amateurishly wrong.”

I think it’s a bit more complicated. The question I am having is why isn’t this kill switch removed the moment the distributors of this ransomware found out that a security researcher activated that kill switch? That question is a puzzle for me. Maybe I am thinking in the wrong direction and have to widen the scope.

Gerard May 16, 2017 3:56 PM

Adding to my previous comment:

Of course there are a couple of scenario’s, but the thing is, it doesn’t like “ordinary” criminal activity.

Anon May 16, 2017 4:12 PM

Something is definitely off about this attack.

  • It was apparently targeted at Governments and big business
  • It hit all the above within a day of each other
  • Smaller, more typical targets seem to be collateral damage
  • It doesn’t seem to have escaped into the wild (it appears it only infects systems on the local network)

Note I have nothing concrete to support my theory, but by now we should be looking at infections in the millions, and we’re not – it seems to have stabilized, the “kill switch” notwithstanding.

I also doubt the claim of the “security expert” who just “happened” to “accidentally” trigger it. Convenient.

Thomas_H May 16, 2017 4:42 PM


One has to wonder whether an exceptional security update should perhaps be available for all users, paid support or not, when it concerns an exceptional security hole that has the potential of causing major havoc…

Or do you think it would be acceptable if, say, a utility or machine manufacturer claimed that only customers who have a support contract would get a free replacement for a potentially dangerous flaw that the manufacturer was warned against earlier? Perhaps this is so in the USA, but in many European countries it would provide reason to pursue the manufacturer for negligence.
E.g.: My oven, made by a major European manufacturer of kitchen utilities, had to be repaired (for free) under a special repair program due to a manufacturing flaw that could potentially cause a deadly explosion. This cost the manufacturer millions, but if they did not comply they would have had much more severe problems due to European consumer protection laws.

It’s that there have been no deaths (that have been documented…yet), otherwise I suspect Microsoft would have some serious legal problems by now…so let’s hope they’ve learned their lesson and provide free patches for any other major security holes. On the other hand, of course, as many US tech companies seem to think they’re above the law or can make the laws themselves, perhaps that is merely wishful thinking on my part…

anony May 16, 2017 5:01 PM

I think the infect vector is likely to be an old “auto-update” site.

These systems are looking up a site checking for updates, and getting a weaponized payload.

Could be any number of legacy programs…

Neto May 16, 2017 5:14 PM

Isn’t it irresponsible to spread the typical rumors of “china, Russia, iran, north korea are evil” without the tiniest shred of technical evidence that would point in that direction?

There’s no insightful To;Dr here. Only intent to damage and click bait when people all too eagerly blame the Boogeyman.

I have to say I’ve been disappointed for a while now in the politicized focus Bruce has taken during and after the US election seemingly buying into (or at least begging the question) every non tech analysis that blames USAs “rivals” for everything.

Max May 16, 2017 5:30 PM

The “kill switch” has a rather obvious function (nothing to do with detecting sandboxes): it’s a way of excluding computers from attack. That is, the attackers added the magic domain to a DNS server under their control to prevent the attack from rebounding on themselves.

david in toronto May 16, 2017 5:31 PM

@Thomas H

To release or not release a patch is a delicate question of balance. XP has been officially dead now for 3 years after 12 years of support. AFAIK even the custom paid for beyond extended support was gone last year. They may have just got lucky on a fix because embedded is still supported on some level.

So much is totally broken in XP and everyday more things won’t work. Eventually the hardware that it runs on will decay at the circuit board level.

But, if you keep supporting it in parts, people won’t get off it. Perhaps in exceptional cases MS weighs customer satisfaction for potential future purchases and possible litigation or government penalties. And there is the danger of precedent.

With shadow brokers threatening a dump a month, how long before they have to do this again? How many more scares like this will it take to get rid of the albatross that is XP.

Max May 16, 2017 5:48 PM

“No, Microsoft had that patch available for all paying Windows XP exteneded support customers. NHS decided to neither upgrade WinXP nor continue to pay for extended support.”

In other words, Microsoft is also in the ransomware business.

John Harris May 16, 2017 6:03 PM

Whenever journalists cite anonymous sources blaming some nefarious act on a “[fill in the blank]-linked” perpetrator, you can be certain that the point of the exercise is to smear [fill in the blank] and divert attention from the actual criminal(s). These reports never bother to explain how readers should interpret the term “linked.” Does it mean that someone has alleged a connection between two parties, or that a connection actually exists? What exactly is nature of the linkage?

Now we are asked to reconcile two incompatible concepts just in the first two paragraphs of the Times report. North Korea-linked hackers are the “likely suspects,” yet the “indicators are far from conclusive.” How are these hackers adjudged “likely” suspects when the “indicators” are so inconclusive? And if there are likely suspects, are there unlikely ones as well? Who are they? And how exactly do we know that “weeks, if not months,” may pass before these unidentified investigators can “officially point the finger” at North Korea? Will it take that long to complete the frame job?

And excuse me, but were “vulnerabilities” stolen from the NSA as the article claims or exploits of vulnerabilities? How does one steal a vulnerability? I can imagine stealing information concerning a vulnerability, or an exploit of a vulnerability, but I don’t understand how one steals a vulnerability itself.

One last question: why the hell has no one been fired over this? If developing these exploits is not a firing offense, then certainly losing control of them must be. Shouldn’t someone in a position of responsibility be held to account?

Pete May 16, 2017 6:27 PM

What Bruce, your handlers in the US TLA’s have realised we ain’t buying all their “Putin did it” bullshit ?
Good we have North Korea then, if we didn’t – We would have to invent it !

anony May 16, 2017 6:50 PM

along the lines of the “auto-update” vector, i wonder if all the machines infected were old Compaqs….

pebble in boot May 16, 2017 7:35 PM

@Dirk Praet

“Reducing the issue to identification of whoever is behind WannaCry does not solve the underlying problem…”

You, of course, state what should be considered the obvious. Now there’s just to decide whether to file this report under “D” for distraction or “M” for misdirection?

I find myself reminded of this quote more and more often…

“In the eyes of posterity it will inevitably seem that, in safeguarding our freedom, we destroyed it. The vast clandestine apparatus we built up to prove our enemies’ resources and intentions only served in the end to confuse our own purposes; that practice of deceiving others for the good of the state led infallibly to our deceiving ourselves; and that vast army of clandestine personnel built up to execute these purposes were soon caught up in the web of their own sick fantasies, with disastrous consequences for them and us.”

— Malcolm Muggeridge, May 1966

Sam Varghese May 16, 2017 8:08 PM

The New York Times? The same gang who apologised for their biased coverage of the 2016 US election? The same gang who led the nation to war against Iraq, with Judith Miller leading the charge? Amazing that anyone swallows what they print anymore.

Patriot COMSEC May 16, 2017 9:21 PM

One hopes that the NSA does know who did it, or at least that they have solid info as to the point of origin and the exfil’s point of collection for the bitcoins. Something as big as this is going to garner a lot of attention, and so some ally, take Israel for example, might have interesting capabilities that give definitive answers. Who knows?

As far as North Korea goes, I think it is important that they not be underestimated. Having minimal resources often turns out to be an advantage. In my thinking, North Korea is not just a regional threat, they are a threat to humanity. We are used to rogue individuals, but state-sponsored cyber-crime from a rogue country is on another level.

Ren May 16, 2017 10:07 PM

@Patriot COMSEC

Actually, what one hopes is that the NSA would keep better track of their toys.

…and one can only hope to speculate as to what “interesting capabilities” of today will be lost and unleashed against the public in the future. Who knows?

Drone May 16, 2017 11:27 PM

The New York Times… Pffft, get real. Those clowns will publish anything – true or not.

Wanna Decrypt0r is of-course derived work, so there are going to be trace similarities with lots of other malware code out there, including stuff from North Korea. That’s a long way from being able to say NoKo “created” Wanna Decrypt0r.

What’s surprising here is that the New York Times didn’t print an article blaming Trump for the malware!

Winter May 17, 2017 12:41 AM

With all the conspiracy theories floating around I tend to apply Hanlon’s razor:
“Never attribute to malice that which is adequately explained by stupidity”

So, whenever I see a new conspiracy theory, I seriously consider the option that the person airing the theory is simply “incompetent”.

Will May 17, 2017 2:30 AM

By playing the “state actor” card they make people shift the blame from themselves for not patching, Microsoft for writing buggy code, NSA for sitting on the exploit, NSA for losing control of the exploit etc to some fuzzy “state actor” who normal people believe they can’t defend against anyway.

The “state actor” card is saying “its ok, it wasn’t our fault”.

The NY Times is doing the public a very big disservice.

Andrew May 17, 2017 3:31 AM

I believe that that the malware author(s) stuffed up the code and didn’t intend for there to be a kill switch. Looking at some of the code, it seems that the author may have failed to complete the criteria for that specific condition … didn’t the script bail out instead of hitting detonate() function in some of the published examples?

Where is the evidence to suggest NK? I highly doubt that NK would have been brought up as a suspect if the tensions and media coverage of US and NK wasn’t mainstream at the moment – doesn’t make a lot of sense without first seeing the raw evidence.

Do they know time zone of malware creation?
Is their hints of NK language without specific variants/code?
Do IPs map back to NK and have the use of proxies been eliminated?
Does the coding style match that of known NK derived
malware based of historical analysis and comparison?
Who is reporting suspect NK? Where did that rumour originate and who was the original source(s)?

So much speculation, joys of the internet!

Time will tell.

Dirk Praet May 17, 2017 3:53 AM

@ david in toronto, @Thomas H

To release or not release a patch is a delicate question of balance.

It is in the sense that continued release of security patches for known exploits might negatively affect bonuses due to loss of revenue as even less customers would buy into Microsoft’s “extended support” racket. But, hey, who cares if little people suffer or critical infrastructure goes down when management bonuses and shareholder dividends are on the line? While such reasoning makes perfect sense from a business vantage, it fails any ethical or moral standard.

What the average bean counter fails to understand is that many people are still on XP/Vista because, however old and obsolete in the vendor’s eyes, they still fit the needs of those users, because they simply can’t afford to upgrade or lack the knowledge to migrate their legacy hardware to OpenBSD. It’s not any different for the millions out there still holding on to old and insecure Androids, Nokia’s and Blackberries and the situation has gotten even worse with the arrival of the IoT.

To me, it is painfully clear that the tech industry has created a multi-headed monster the unleashing of which they refuse to assume any responsibility or accountability for and which eventually will blow up in everyone’s face unless governments and regulatory bodies force them to.

@ Max

In other words, Microsoft is also in the ransomware business.

That is exactly what it boils down too.

Clive Robinson May 17, 2017 5:59 AM

Two things to note before getting into the atribution game.

Firstly we humans are in general limited by our understanding of the physical world, and have little understanding of the information universe.

When we by something such as a car or book or childrens toy we don’t expect it to have harmful defects hidden away within it. Further if there are defects discovered it’s usually at the begining of a products life time and if serious a product recall is put in place (think the recent phone with burning batteries problem). Thus once we own a product we expect to be able to use it untill it falls apart on us.

This is not the case with software it’s riddled with bugs and thus attack vectors, with by far the majority unknown throughout the product life. As bugs are found unlike physical products information products are not recalled they get patches which the user is expected to incure the cost of downloading, installing and operating. And there is apparently no recourse if the patch causes harm…

There is a Catch-22 in this. If we force information products to takeon the same liabilities as physical products, the software companies would either disappear over night, or software would flip back to the sort we had with terminals of big iron mainfraims in the 1970’s, and the Internet as we know it would cease to become accessable.

Thus we have to accept that if we want the bells and whistels of having software on our hardware products there is a price to be paid personaly. We get forced into an upgrade hamster wheel or we drop out of communications with other computers, to avoid having the inbuilt bugs used against us. That is we have to treat software as a hazard to our health. Think of it like buying a book, that when you put it on the shelf, it might explode, destroying all your other books if you use the doors, windows phone, television, radio etc in your house to communicate with the outside world…

Thus we have to think of information products in a very different way to physical products, and it’s realy well outside of our usual perception and that is problematical.

Secondly we have to stop alowing the unqualified making gut feeling choices. In particular politicians and their ilk who actually rarely suffer the costs of their poor guesses.

Whilst the politicians are trying their best to distract the public away from it, the failure for the NHS is being actively created by politicians. In the case of XP back in 2015 the Secretary of State for Health in the UK Jeremy Hunt MP decided for political mantra reasons not to renew the NHS XP support with Microsoft. The cost saving was small less than nine pence per user of the NHS and in the same period Jeremy Hunt’s personal unearned wealth has increased many times what that support contract would have cost.

Likewise we see in industry the mental view point of very short term thinking. Basically maximise short term profit by destroying the resiliance in the longterm future.

If we are to stop the likes of cyber-wars we have to change our way of thinking. If we don’t then we are just going to continue the tail spin we are currently in.

We kind of have to view software on our own hardware like storing explosives which become not just more unstable with time, but also more powerfull in the damage they do with time…

rahkonen May 17, 2017 7:08 AM

As has been brought up before (even in Bruce’s articles) there are ways for the intelligence operatives in one country to make it look like a malware was produced in another country. This is not just done for hiding the original source or intent with the malware but also for political interests.

And as people should have learned from attacks of a more physical nature, there are ways for intelligence community to make it look like something was built by near-amateurs. It’s their way of adding one more layer of misdirection.

This is all obvious, of course. Or should be, at least to the readers of Bruce’s blog.

Still I do not mean that any of this was done in this case. This malware could well have been built by some near-amateurs with no connections to U.S. intelligence community, somewhere outside of USA.

But an interesting thing about it though is that at least Russia seems to have been dropped as the usual culprit. Perhaps the spirit of the times have changed against Russia and there now is more political interest in blaming North Korea?

Winter May 17, 2017 8:19 AM

“Thus we have to think of information products in a very different way to physical products, and it’s realy well outside of our usual perception and that is problematical.”

Maybe we should see software as fresh fish? Or fresh milk?
If it has been standing around for a few days, we should replace it. And always keep them inside a refrigerated environment.

Bruce Schneier May 17, 2017 8:33 AM

“My guess is that this was just some noob hashing together various pieces of code that they found lying around the web.”

I don’t think it was some noob, but I think a criminal organization is more likely than the North Korean government. But the North Koreans have surprised me before, and I’m trying to keep a more open mind this time around.

Clive Robinson May 17, 2017 10:01 AM

@ Winter,

Maybe we should see software as fresh fish? Or fresh milk?

Yup milk especially has a parallel… Back in the Victorian era there was a belief that when milk stated to smell buttery not creamy you should add a little lye to it. So although on the surface the milk was refreshed it was actually steadily going poisonous, but your nose was not telling you so.

So you could regard software patches as being the lye in the milk of the application.

@ Bruce,

But the North Koreans have surprised me before, and I’m trying to keep a more open mind this time around.

It’s not just the NKs it’s all half way competent IC agencies of just about any country you could name without having to get a map out.

For some reason there is a bunch of wishfull thinking about a bunch of ones and zeros that do damage to our very poorly written overly complex mainly usless feature rich applications and OSs. People like to belive that,

1, It’s difficult to write malware.
2, It’s difficult to stop malware.
3, That locards principle applys to software.
4, That code cutters have unique styles that are fingerprints.
5, That you can not falsify malware.

All of these are false assumptions, and if we keep making them we are going to end up with pie in our faces.

Malware is not that difficult to write, the hard part which is often more luck than skill is finding the exploit. In fact if you know where to look malware code is almost trivial to get hold of. In this respect it’s much like the coding style of a lot of people, the look up an example on the intetnet pull out the bits they want and stich it together. It’s something you would expect bright teenagers to be able to do.

As for stopping malware, it’s easy to do but there is a price to pay which is you lose or severely restrict connectivity. There are ways to mitigate some of the effects but due to the way hardware design is going building systems with no semi-mutable storage that can be got at from an Internet or other connection is getting difficult if not impossible. Thus we need to think seriously about how we design our hardware, and how we communicate. The likes of the fettish for IoT and similar is going to bring this to a head within a year or two at the most, the question is how long will it take us to clean up the midden on our doorsteps.

To demonstrate a basic issue of human thinking, there are the assumptions we carry forward from our physical world perspective to the information universe. We instinctively believe that what applies to the one we are familiar with, also applied to the one we are not, and we trip over our assumptions. What makes it worse is that our physical world we perceive is very likely to be a subset of the information universe, thus many assumptions do carry across but by no means all. One such is the fundemental tenent of forensics, Locards exchange principle, where the assumption is that objects and entities exchange parts of themselves or leave toolmarks etc which are unique identifiers. The simple fact is this realy is not true for software toolchains and the end product of executable code.

Unfortunatly a number of people on the forensics side also incorrectly believe that code cutters have unique styles that can be used as hard and fast as fingerprints. We even know that this is not true in the physical world, so why on earth should we believe it’s true in the information universe, where it’s representation in ones and zeros that can be endlessly copied and sliced and diced which ever way a person adept with an editor might wish.

Denying that you can slice and dice to your hearts content to remove statistical traces, unfortunately gives rise to something that is realy silly when you take a step or two backwards and think about it. Which is the notion that you can not falsify malware. At the very simplest you just copy someone elses code and the way it works. You then make one or two small changes by cutting, pasting and modifying parts of code from other software that has been “supposedly” identified. Fish chase lures and get hooked even though a lure looks very little like a fish, are we realy all just as bad?

With the way things currently work with computers and the Internet it’s easy to fake not just sources of attacks but destinations of data etc. Thus we need to look outside of the computers and Internet to find evidence that is actually indicative. This is always going to be physical world evidence, be it as difficult as Human Intelligence or as simple as tracing proceads of a crime.

Currently we do not have any such physical world evidence which means that attributing would be very slipshod at best.

In the intelligence game of smoke and mirrors there are ways to build up comfirmation, you basically supply your assumed target with a small piece of false but identifiable piece of information. You then observe if the target takes action in a way they would only have done if they had received that piece of information. The problem is such techniques are probabilistic in nature not definitive.

Thus attribution is hard, and going off half cocked is likely to hurt the person firing the shot more than it does the person they are aiming at.

Thus the NY Times has gone of half cocked again and more and more people are becoming cautious about what they say.

I have my own reasons for distrusting the NY Times as I’ve mentioned in the past. Thus I can see a connection as to why the NY Times might well publish a story that would be helpful to UK political interests as this story is likely to turn out to be.

Sean May 17, 2017 12:56 PM

With Adylkuzz, we can try to understand how North Korea has been suspected as possible culprit for WannaCry.

ab praeceptis May 17, 2017 1:48 PM

The “evil North-Korea (TM) did it” assumption doesn’t make sense. As in the case of NK we can, indeed, assume that that would mean the state we would have to look at the political aspects as the guiding ones.

NK considers the us of a as Satan himself and understandably so after millions upon millions of dead Koreans. Moreover NK isn’t interested in making trouble for the fun of making trouble. What they do is pretty much – and consistently – guided by very few points, the most important of which is the TRUE observation that the us of a has never attacked an opponent who has nuclear arms. Their current program to somehow be capable to nuclear attack the us of a mainland is but a logical extension of that. Obviously NK would be much more secure if they couldn’t just mass kill us-american occupation forces but the us-american cities.
Which btw. also explains the relentless us-american (plus vassal states) efforts to keep NK away from nuclear weapons, especially from one that could reach the us of a.

And NK pays a very, very high price for that. One can be absolutely certain that NK does not do anything stirring up anger besides their nuclear program. Especially not in the area of cyber war were NK is very weakly positioned.

Another point that clearly contradicts the evil NK (TM) accusation is that Russia was/is one of the major victims.
For one Russia is among the very few countries who were and are fair to the North-Koreans. It would be utterly stupid to pi** them off as that would immediately translate to ending up much weaker and losing one of very few powerful friends. Moreover NK knows that Russia is the real mil. power wide and far and that Russia has and does right now use that power to keep some of the players reasonable.

On the other side we have us of a politicians and agencies well known for faking and mis-attributing whatever they please and to mass murder people (just like they did in Korea). Do I need to remind anyone of the cia bragging about their capability to pin anything on anyone?

Ratio May 17, 2017 9:38 PM

From the interview with Ross Anderson that was posted last week:

Is the use of cyber conflict instead of armed conflict using planes, and tanks, and drones an improvement? Well, we’re going to have to wait and see. There is the risk that the threshold for starting a cyber conflict will be lower. People will think that they can get away with it, that attribution is hard. They often make mistakes on that.

(Emphasis mine.)

Thomas_H May 18, 2017 2:26 AM

@Winter, Clive:

LOL. And the software vendors are akin to stalls on a street market, ranging from the expensive uptown seller who always has good quality fruit for high prices but who won’t accept any criticism of worms in apples because such things never happen in his stall, to the run-of-the-mill leather seller that sells decent quality but rather inconspicuous bags for a somewhat advantageous price, to the enormously friendly milk seller whose cheap and popular milk unfortunately comes from cows in fields close to the local dioxine-spewing factory.

Clive Robinson May 18, 2017 5:00 AM

@ Ratio,

Ross Anderson was probably refereing to what went on prior to his 2009 paper on “Snooping Dragon”

Back then things were the other way around to the way they are today in the attribution game. Ross had done his homework and the attribution to China he presented was reasonably sound…

But nobody officially wanted it to be true then for political reasons thus shots were taken at the messenger.

I like others who comment here do not blow cold the hot then cold again when ever the political wind changes direction when it comes to attribution. We ask for a certain burden of proof prior to making a claim.

As it turns out in this particular case an early version of the WannaCry ransomware used code from earlier malware used to conduct successful thefts of money.

Depending on your view point and it’s underlying assumptions you might or might not accept that those who identified the original code as being from a group that has been christened Lazarus, that likewise has been said to have ties to North Korea based on various assumptions.

The problem is that some of the supposed evidence backing the Lazarus Group idea and claims is to put it mildly tenuous. Worse there are other indicators that suggest that this is not as likely.

The early version of the WannaCry ransomware had not just code attributed to the Lazarus group, but code taken from other places, so we know there is more than one piece of code reuse. However other attacks attributed to Lazarus not just worked, but worked well, and importantly the back-end financial system worked. The same can not be said of WannaCry ransomware.

Thus you have a set of arguments in one direction whilst also having a set of arguments in the opposite direction. But there are other indicators, the code attributed to the Lazarus group has identifiable purpose that can be said to align with North Korean aims, which is to get money (which is also the intent of most cyber-crime). However this WannaCry ransomware appears to lack purpose other than to be a problem to those running Microsoft OSs that are no longer under normal support… Thus it could be argued that it was actually aimed at making Microsoft and it’s special support look bad, which is not something that aligns with either previous Lazarus group code or North Korean aims and objectives so far established…

Even the people that noted the original reuse of supposed Lazarus Group code[1] and other similarities[3] did not say the WannaCry ransomware was from the Lazarus Group or North Korea…

What is lacking so far is an unbiased break down of both differences and similarities so that a differential diagnostic can be reasonably be carried out. Until that happens all we have is “hearsay” not “opinion” and by no means “evidence” in the accepted sense even for the “balance of probability” of a civil action.

[1] Google researcher Neel Mehta tweeted two points in an early version of wannacry, which showed code from earlier malware Contopee.

[2] Contrary to what many have indicated the WannaCry authors didn’t actually use the NSA code, they actually copied it from the version in the open source project Metasploit tool.

[3] Kaspersky bloged about Mehta’s tweet[1] very shortly after with analysing the similarities, they did not definitively say that WannaCry came North Korean or the supposed Lazarus group.

[4] Neither Neel Mehta or Kaspersky have actually said very much beyond pointing out similarities. Others have run with this without doing their own analysis, which has made the reporting far from unbiased. Whilst Kaspersky have acknowledged the possibility of a false flag operation, they discount it as being to complex for the people that made the buggy WannaCry. Which unfortunately is circular reasoning.

Luis C May 18, 2017 7:19 AM

I personally think that wannacry (whoever made it) may be a proof of concept because of its “emergency stop” trigger. If that is correct another wave of (stronger?) ransomware could be on the way.

snap snap May 18, 2017 8:21 AM

Cyber criminals do need the internet to function and businesses too also be up. Considering all the other vulnerabilities in ___________ and ___________ then it’s a good thing it’s crims/others at this point.
The less said in this direction the better. Cyber weapons are a Pandora’s Box.

Clive Robinson May 18, 2017 8:52 AM

@ Louis C,

I personally think that wannacry … may be a proof of concept

The early version from Feb may well have been, but the later versions contain problems.

I’m thinking that who ever built is scraped code and ideas then bolted it all together without doing any real kind of testing.

This sort of slap dash thing is not what the tools –that are alleged to be from the supposed Lazarus Group– that attacked Swift were like. Further the tools that were used against the Swift financial network had a very clear function and were used to successfully achive the task of stealing quite a large amount of money. This ransomware realy has no clear purpose other than to be more of a nuisance than a revenue generator.

Thus there is the very real appearance of two groups… One taking an almost proffessional approach and achiving clear objectives, in a well ordered way. The other slapdash with little or no originality, poor implementation of anti-forensic, financial realisation methods and poorly executed.

Thus the MO differences not the occasional code copying would suggest two groups one proffessional and coordinated the other not…

As for what turned out to be a kill switch, you have to ask several questions. The choice of domain name suggests it was not something that was being tested, yould pick a much simpler name for that. Likewise it’s way to simple as a kill switch, to easy to find and thus be used by targets. Hence the viewpoint some have that someone wanted to add an anti-forensics feature, but never got it out of the idea phase, thus a part implemented prototype with not implemented code stubs that never even got to the point of being tested let alone put into a production ready idea.

I would not be surprised to find that at the end of the day it will be a variation of the archetypal “400lb acne riddled teenage agoraphobe hiding in a bedroom in his parents trailer south of slamdunk nowheresville” meme, that various people pull up from time to time. Not some variation of the supposed “Elite group of ninja coders working with military disipline” meme.

Thomas L. Friedman May 18, 2017 11:05 AM

When Bruce writes to his blog about a story in the NYT or Wash Post it is the equiv to Thomas Friedman talking to a cab driver and writing some drivel.
Not much to do about security here.

Countryman May 18, 2017 3:33 PM

When testing Clive’s hypothesis of two groups, be careful of evidence that is also consistent with an intelligence agency and its cutouts. Allowing the malware to proliferate is a great way for an intelligence agency to cover its tracks. You’ll find you cannot reject the hypothesis that Lazarus is Israeli state malware leaked for adaptation to Russian mafiya cutouts inimical to the GoR. CIA will prove to be witting by virtue of Eyes-Only intelligence liaisons with Israel. If the Bangladesh heist had worked, that money would have gone straight to ISIS. The failure of the theft required a crowd that 8200 can get lost in.

We leave as an exercise to the reader the questions, Which thwarted crime required CIA to disseminate Vault 7? and, Who thwarted it?

Ratio May 19, 2017 3:05 AM

@Clive Robinson,

Ross Anderson was probably refereing to what went on prior to his 2009 paper on “Snooping Dragon”

I don’t think I’d seen that paper before; I’ll have a look later. Thanks.

What Ross Anderson said in that interview was:

People will think that they can get away with [cyber conflict], that attribution is hard. They often make mistakes on that.

(Emphasis mine.)

Note the tenses of those verbs. He’s not talking about a situation that has since changed. He’s describing the current (and future) situation.

Patriot COMSEC May 19, 2017 9:40 AM

I don’t think it’s the DPRK. From the incident map, I guess Russian criminals–Samara?

But it is just a guess.

I saw a WannaCry infection in Thailand in 2014-15, and that was at a university.

This attack has definitely hit the country, but it has been limited.

That 2014-15 attack was on a pirated version of XP, and so no surprises there.

Alex May 20, 2017 6:35 PM

There can be no proof with state run hackers, the art of fingerprint faking is as common as the hacks performed, besides why would anyone trust a US agency to tell you what’s really going on?

gordo May 21, 2017 4:48 PM

tftp=on [tin-foil topper protocol]; grain of salt; etc.

The WannaCry/Eternal Blue ransomware/worm is another controlled burn from/set by The Shadow Brokers (TSB).

Though there was prior TSB activity, auctions & data dumps, here’s what 2017 has brought us:

First, there was the TAO Windows Tools dump preceded by the shout out of tool version numbers at auction.

Second, was the WannaCry kill switch.

Third, TSB’s announcement of monthly dumps beginning in June fits with what could be a pattern. Rather than auction, dump and disappear, we may now have auction, dump and [constrained] attack. How will the monthly subscriptions plan roll?

In a sense the TSB subscription offer is like a lottery where if you win, you lose. Barter Town, “Bust a deal, face the wheel“, of Mad Max fame, comes to mind.

Monthly subscription offers or promo’s from TSB with details included provide advance warning. Manufacturer security bulletins are leading indicators of vulnerability disclosures. Microsoft doesn’t say when or whether they received vulnerability disclosures from the NSA.

[ ]

Where this goes is anyone’s guess.

TSB, given their auction and ransomware acumen, are apparently not in it for the money. In keeping with the controlled burn analogy, this will go on for some time. If not every trick in the book, we’ll likely see more surprises.

Yes, tricksters; . . . what was that about a kill switch? EternalBlue?

Culturally, this is security theater of the highest order.

It’s a Kabuki code klatsch/theatre of the absurd/performance art/lulz2 spoof. If the OpSec holds and TSB disappear without a footprint, that’s an endgame that makes the likes of D.B. Cooper proud.

Optimistically, what we may be seeing is a real-time master class in digital insecurity; Unsafe at Any Speed. The attack surface includes contradiction and unenlightened self-interest, to name two. Given the medium, those and like realities get surfaced, at scale, one data dump at a time—attack warez gone wild.


In what might now be an homage to a new era, signaled back in January 2015, You Say You Want an Attribution: The Sony Hack Attribution Generator.


gordo May 24, 2017 4:44 PM

Symantec attacked over claims that WannaCry ransomware is the work of North Korea
WannaCry links to North Korea “premature, inconclusive and distracting”, claims Institute for Critical Infrastructure Technology
Graeme Burton | Computing | 24 May 2017

In addition, Scott claims that while Symantec highlighted some of the tools used in WannaCry associated with Lazarus, it ignored other tools used that weren’t. In other words, Scott accused Symantec of being selective in what it chose to highlight in its research.

There’s Proof That North Korea Launched the WannaCry Attack? Not So Fast! – A Warning Against Premature, Inconclusive, and Distracting Attribution
By James Scott, Sr. Fellow, ICIT | May 23rd, 2017

Last week, ICIT urged responsible news outlets to focus on meaningful aspects of the May 12, 2017 WannaCry attack on over 230,000 systems in over 150 countries, such as the desperate need for security-by-design in software and technology, the perpetual failure of organizations across the globe to secure their …

gordo May 24, 2017 5:31 PM

May 24, 2017 | emptywheel

But the part that CNBC has read to mean Shadow Brokers endorsed this theory instead does nothing of the sort; if anything, it does the opposite. I read it as a comment about how quickly we go from dodgy attribution to calling for war. And it comes with a sarcasm tag!

Moreover, why would you take Shadow Brokers’ endorsement for anything? Either they did WannaCry (which actually seems to be what CNBC suggests; Krypt3ia makes fun of that possibility, too), in which case any endorsement might be disinformation, or they didn’t do it, and they’d have no more clue who did than the rest of us.

The entire exercise in attribution with WannaCry is particularly odd given the assumptions that it is what it looks like, traditional ransomware, in spite of all the evidence to suggest it is not. And so we’ll just ignore obvious tags, like a “sarcasm” tag, because accounting for such details gets very confusing.

Clive Robinson May 24, 2017 6:15 PM

@ Gordo,

Symantec attacked over claims that WannaCry ransomware is the work of North Korea

If you want to look back at the Friday Squid, you will see that some of “the usuall suspects” called the attribution suspect for exactly the reasons James Scott gave yesterday, but we did it within hours of Symantec’s supposed atribution not a week later.

Maybe James Scott reads this blog 😉

gordo May 25, 2017 9:20 PM

@ Clive Robinson,

“Measure twice, cut once” is not a bad practice. The usual suspects, however, yourself included, do call out confirmation bias at speed.

It seems to me that at one time threat-actor profiling might have been more reliable as there were fewer players on the field. Code-cutting and other TTP’s are now interchangeable and proliferating.

It seems to me, as well, that non-attribution attribution, i.e., evidence-free or evidence-lite assertion, if not outright fake news, conjecture at best, is also spreading.

As ICIT rightfully points out, such attribution speculation takes the focus off of issues that can, should and need to be addressed.

Last, a timely quote from Ross Anderson:

There have been newspaper editors who played the man not the ball. Is this going to become the new normal and, if so, what happens to democracy?

The above interview is blogged on Schneier on Security at:

Clive Robinson May 26, 2017 5:31 AM

@ gordo,

As ICIT rightfully points out, such attribution speculation takes the focus off of issues that can, should and need to be addressed.

Yes, there is always more behind things than are generaly visable. The problem is though if somebody claims to have seen behind the curtain and makes certain claims how do you go about verifying them.

For instance this got sent to my wokspace a short while ago,

How to go about verifying not just parts or the whole, but also the context it aims to set.

gordo May 26, 2017 5:11 PM

@ Clive Robinson,

How to go about verifying not just parts or the whole, but also the context it aims to set.


gordo May 30, 2017 6:01 PM

Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
Jon Condra, John Costello, Sherman Chu | Flashpoint | May 25, 2017

Flashpoint analysts . . . also included a linguistic and cultural review of the 28 ransom notes found within the WannaCry malware to determine the native tongue of the author(s).


Flashpoint analyzed each of the notes individually for content, accuracy, and style, and then compared results. Analysts also compared the ransom notes to previous ransom messages associated with other ransomware samples to determine if there was reuse.

. . .

This alone is not enough to determine the nationality of the author(s).

New Data Shows Most WannaCry Victims Are From China, Not Russia
By Catalin Cimpanu | Bleeping Computer | May 30, 2017

“[WannaCry] velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability,” the Kryptos Logic team added. “We can only imagine the damage this worm would have unleashed had it been used while ETERNALBLUE was still a zero day vulnerability (not fixed by Microsoft).”

WannaCry: Two Weeks and 16 Million Averted Ransoms Later
Kryptos Research | May 29, 2017

Here we argue that the real number of affected systems, by assessing the sinkhole data, is in the millions, and we further estimate between 14 to 16 million infections and reinfections have been mitigated avoiding what would have been chaos, since May 12th. Our estimate is a few hundred thousand systems were disrupted by the ransomware payload until the kill switch was activated followed by a conservative 2 to 3 million affected systems which were not disrupted by the payload. Without the mitigating effect of the kill-switch, this number could have plausibly infected vulnerable systems well into the tens of millions or higher.

WannaCry Infection Flow:

gordo June 1, 2017 8:55 PM

Another approach to the ‘who wrote WannaCry?’ attribution question:

Analysis of competing hypotheses

The analysis of competing hypotheses (ACH) provides an unbiased methodology for evaluating multiple competing hypotheses for observed data. It was developed by Richards (Dick) J. Heuer, Jr., a 45-year veteran of the Central Intelligence Agency, in the 1970s for use by the Agency. ACH is used by analysts in various fields who make judgments that entail a high risk of error in reasoning. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve.

[ I don’t know about ‘unbiased’, but at least the last sentence cleaned that up a bit. ]

Digital Shadows Analyst Team | 18 May 2017

Though by no means definitive, we assessed that a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available.

WannaCry Attribution: I’m Not Convinced Kim Dunnit, but a Russian….
Peter Stephenson, Technology Editor | SC Magazine | May 22, 2017

I counter the prevailing hype that the campaign easily is attributable to North Korea with reliable intelligence that I have that points to Russian involvement. No, not a state-sponsored attack. This intel points to individual actors with limited skills stitching together a Frankenstein’s Monster of weaponized ransomware from body parts stolen from NSA and some underground resources. It points to several – not many, really – actors who are little more than script kiddies trying to search out people in the underground forums – particularly vetted-membership Russian hacking forums – who actually know what they are doing and then trying to get help to sew up the monster. Adding the NSA tools brought down the lightening and the monster lived – all over the Internet.

Ignoring my deathless prose (please) let’s take a closer look at what evidence might support that intel. …

[both Digital Shadows and Rid & Buchanan are referenced by Stephenson; the Rid & Buchanan paper was also blogged here: ]

coda/slightly off topic:

WannaCry is a fine example of digital contagion. Attribution requires international cooperation—let alone estimating the cost of cybercrime, or maybe not. Hmm, who’s not getting hit? To my knowledge no nation state or international body has yet attributed the actual WannaCry attack to anyone. That reminds me that, as far as I know, no one has been arrested for the 2016 DYN cyberattack. Given that, and should the above ACH’s hold, as well as no international cooperation (which may be a tell in itself), a couple of years from now we might see the same conclusion on WannaCry: The script kiddies.

gordo June 10, 2017 2:08 PM

Is WannaCry Really Ransomware?
By Carl Woodward and Raj Samani on Jun 08, 2017 McAfee

The WannaCry authors demonstrated good technical governance, for example, the key handling, buffer sanitization, and private key security on disk using a strongly encrypted format. It is odd that with such good governance, the same group neglected to include something as essential as a unique ID for a user (or instance of attack) because this is mandatory to decrypt a specific user’s files. While much of the initial analysis described the WannaCry campaign as “shoddy,” the use of good technical governance suggests that there are elements of this campaign that are well implemented.

This competence raises doubts that the campaign was shoddy. Given the level of capability demonstrated, we would expect the developers would have found and fixed basic errors. Indeed, could the inclusion of these basic errors be an attempt to make the campaign appear amateur? Without apprehending those behind the campaign, it is impossible to know their motivation; yet a thorough analysis of the technical artefacts questions the shoddy theory.

gordo June 15, 2017 8:06 PM

National Security
The NSA has linked the WannaCry computer worm to North Korea
By Ellen Nakashima | The Washington Post | June 14, 2017

The assessment, which was issued internally last week and has not been made public, is based on an analysis of tactics, techniques and targets that point with “moderate confidence” to North Korea’s spy agency, the Reconnaissance General Bureau, according to an individual familiar with the report.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.