Is North Korea Tied to Wanna Cry Ransomware?

–…DOES THAT MEAN ANYTHING? That’s hard to say. The overlapping code only appears in early drafts of Wanna Cry released in February. Kaspersky Lab noted that the matching code was removed from later versions of the ransomware, which they believe would be unlikely if it had been intended to throw researchers off the scent of the real criminals. “We believe a theory a false flag although possible, is improbable,” Kaspersky Lab explained in a blog post. Meanwhile, Symantec found tools used by Lazarus imbedded on some of the first computers to be infected by Wanna Cry – a version that predated its use of NSA-linked tools to propagate the ransomware. Symantec hints this may mean that Lazarus tools were the original method used to spread the ransomware. And Simon Choi, a South Korean researcher at Hauri Inc., says that he’s come across North Korean hackers looking to build ransomware in the past.

–…ON THE OTHER HAND: Neither Symantec nor Kasperky consider the ties conclusive. There are other reasons hackers copy code than trying to frame another actor. Hackers copy other people’s code for the sake of convenience, too. And, if Wanna Cry was North Korean, the country made a curious mistake in the design of the ransomware.

–…NOT DESIGNED TO ACCEPT MONEY: Lazarus Group is most widely known for hacking Sony Pictures in protest of the movie “The Interview.” But the group’s most impactful hacking has been to generate revenue. Lazarus has been fingered in a string of digital bank robberies conducted by hacking one bank and requesting massive cash transfers from another over the SWIFT banking transactions system that financial institutions use to move money. It stole $81 million from the central bank of Bangladesh alone. Choi notes that North Korea has also deployed bitcoin mining malware in the past. The hacking is believed to provide a revenue stream for the Hermit Nation that circumvents crippling international sanctions. If that is the case, a strange architectural decision in Wanna Cry seems even stranger. The ransomware encrypts files until a user pays to have the files released. But Wanna Cry does not have an automated system to release the files. After payment, Wanna Cry requires a human to authorize decryption, which drastically limits the amount of money they get.

–…STILL UNEXPLAINED: For the amount of damage the ransomware has caused, it has earned very little money. Bitcoin makes it difficult to trace an account to its owner but allows anyone to view the contents and transactions of any account. The daily revenue of Wanna Cry is visible to the public. And Wanna Cry is on pace to average $15,000 a day in revenue over its first five days. By comparison, CryptoWall ransomware earned nearly a million dollars a day in 2015. Some ransomware makers hire customer support centers to help victims make payments using bitcoin, which some users find confusing. $15,000 is an extremely low total for such a prolific product. It is unclear why it has struggled to work.

–…MEANWHILE, THE SHADOW BROKERS RESURFACED: The group that released the likely NSA-designed hacking tool used in the international “Wanna Cry” ransomware attack announced a monthly subscription service Tuesday for its remaining cache of stolen documents. The anonymous Shadow Brokers, who have been periodically releasing source code and documents believed to have been stolen from the National Security Agency since the summer, announced the new monetization scheme in a post early Tuesday morning. The message was written in broken English typical of the group. “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members,” the Brokers wrote.

To read the rest of our piece, click here.

–…MEET THE EVEN BIGGER MALWARE LIKELY USING NSA-LEAKED HACKING TOOLS: Researchers at Proofpoint discovered new malware when they deliberately tried to get a machine infected with Wanna Cry. But instead of Wanna Cry, something else moved in instead. The malware they have named Adylkuzz is designed to co-opt computers to mine a cryptocurrency named Monero designed to be even more secretive than bitcoin. Adylkuzz uses the same alleged NSA-designed hacking tool as Wanna Cry, called EternalBlue, and a second tool taken from the same NSA leak, called DoublePulsar. Proofpoint calculates that it infects hundreds of thousands of systems and “may be larger in scale than Wanna Cry.” It also predates Wanna Cry by a number of weeks.

Trump asked former FBI Director James Comey to end the federal investigation into former national security adviser Michael Flynn in February, the The New York Times reported Tuesday.

Comey wrote in a memo shortly after the meeting that Trump told him “I hope you can see your way clear to letting this go, to letting Flynn go,” the report said.

The meeting reportedly took place one day after Flynn resigned. Corey’s memo was part of an effort to create a paper trail documenting Trump’s influence on the investigation.

The White House denied the memo’s version of events in a statement to the Times, writing: “This is not a truthful or accurate portrayal of the conversation between the president and Mr. Comey.”

Click here for more from The Hill’s Jordan Fabian.

REACTION:

House Oversight Committeee Chairman Jason Chaffetz (R-Utah) said he would be open to subpoenaing the Comey memos.

Sen. Lindsey Graham (R-S.C.), who chairs a Senate Judiciary subcommittee, asked Comey to testify.

Dem lawmakers voiced outrage over the claims.

Senate Minority Leader Charles Schumer (D-N.Y.) said the country was “being tested in unprecedented ways.”

And Independent Sen. Angus King (Maine) said “reluctantly” that impeachment could be on the table.

The White House scrambled Tuesday to limit the damage from the latest bombshell.

The Hill’s Jonathan Easley looks at the last eight days, which shook Trump’s Washington.

The bill, introduced by Rep. John Ratcliffe (R-Texas), passed the House on Tuesday evening with broad bipartisan support in a 408-3 vote.

It would authorize into law the National Computer Forensics Institute, a federally-funded center in Hoover, Ala., that trains local officials across the country to investigate electronic crimes.

The legislation passed the House last year but never advanced to the Senate floor for a vote. Companion legislation has already been offered in the Senate by Sens. Chuck Grassley (R-Iowa) and Dianne Feinstein (D-Calif.), the leaders of the Judiciary Committee.

“The bicameral, bipartisan support on this issue underscores its critical importance … and the need for this issue to transcend political parties and partisan politics,” Ratcliffe said on the House floor Tuesday afternoon.

The Texas lawmaker said the bill would “give our officers a leg up on the criminals who are increasingly using digital means in cyber space to evade justice.”

Other lawmakers signaled support for the bill on Tuesday, citing the global “Wanna Cry” ransomware attack that has spread to 150 countries since Friday.

“We’re currently witnessing an unprecedented global cyberattack. Attacks such as this threaten our economy, our national security,” said Rep. Gary Palmer (R-Ala.), whose district is home to the training center.

Click here to read more.

Democrats called for a hearing on healthcare security following Wanna Cry’s impact on that sector. (The Hill)

Why investing in infrastructure means investing in software. (BSA)

Apple holds the patent on a pizza box. (Wired, appears near end of the story)

Brooks Brothers had a year-long credit card data breach. (ZDNet)

Donald Trump is believed to have been wearing Brooks Brothers in January when he was sworn in. Overnight Cybersecurity is sure everything is fine. (WWD)

Digital insecurity is the new normal. (NYT Opinion).

The firm TrapX believes it can show Iran hired a Russian contractor to work on malware. (TrapX)

If you’d like to receive our newsletter in your inbox, please sign up here.