Code similarities are shared between a February 2017 sample of WannaCry and 2015 Contopee sample (previously attributed last year to Lazarus Group by Symantec) had been found. Initially, reported on Twitter by Google researcher Neel Mehta, I investigated further. Since then, this suspicion has been shared by Kaspersky too.

The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.

If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.

This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.

In the meantime, a third kill switch appeared in the wild — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:

A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”.
Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem.