Security Researchers have performed a metadata analysis of the WannaCry malware’s rich text (RTF) files, suggesting its author was indeed Korean. Earlier analysis had already linked WannaCry to a North Korean hacking team, but others suggested the attacker’s native language was Chinese or English.
WannaCry was a fast-spreading ransomware attack that struck around the middle of May 2017. Demanding $300-600 USD in bitcoin from victims, it infected over 300,000 computers worldwide. Many were large corporations and government institutions.
Poor Korean a Deliberate Attempt to Mask Origin
According to a ThreatPost report, the researchers were from a security contractor Spain’s Telefonica called ElevenPaths. The country’s largest telecommunications provider had itself been a WannaCry victim and is analyzing its source code.
The team examined the rich text ransom notes’ metadata — the information about a document and its author stored as part of the file. They discovered the author had typed in Korean, and used Korean as the default language on the copy of MS Word used to create the files.
An earlier linguistic analysis of the same ransom notes reported the Chinese and English versions read best. The Korean version had the worst translation.
However the ElevenPaths team now say the poor Korean was deliberate, an attempt to mask the originator’s origins.
Other Data Reveals Timezone, Times Worked
Using other metadata and a tool they developed called Metashield Clean-up, the researchers created a timeline of WannaCry’s construction. Files included tools to connect to Tor, documents containing Bitcoin addresses and .onion domains, and images. Again, the default language was always Korean.
Local timezone, Creation date and last access time data from .zip files — when compared to the first instances of WannaCry infections — also suggested the orginator’s location.
From this they deduced the attacker was in UTC+9 (Korea’s timezone) or at least somewhere between UTC+2 and UTC+12.
Shared code between WannaCry and the Lazarus APT (advanced persistent threat) entity also pointed the finger at North Korea. Lazarus APT was allegedly responsible for the career-destroying Sony Pictures hack in 2014. It may also have been behind the attack on SWIFT that stole $1 billion USD from Bangladesh’s central bank.
Metadata Leaves a Digital Trail That’s Hard to Erase
The analysis also highlights just how much of a digital trail we leave every time we use a computer. Creating, saving and sending files creates enough metadata to unmask even a determined, perhaps state-sponsored, attacker.
EXIF data in image files are another type of metadata that can reveal a frightening amount of information — e.g.: type of camera, time and location. In 2012, a VICE reporter accidentally gave away John McAfee’s hiding place to Belize authorities by posting a photo online.
If even hackers and technology reporters can’t cover their metadata tracks, what chance does the average user have? Without an extensive understanding of metadata and how to extract it, that chance would be slim.
Was anyone you know a WannaCry victim? Tell us about it below.
Images via Pixabay