The UK’s National Cyber Security Centre (NCSC) led investigation into the origins of the WannaCry ransomware attack that crippled NHS systems last month has concluded that it came from a hacking group in North Korea.

What Happened?

The WannaCry global cyber attack back in May spread worldwide, claiming victims in 150 countries and leading to around 130,000 ransomware infections of computers. The attack also made the headlines in the UK because it temporarily crippled NHS computer systems.

WannaCry was made to exploit a vulnerability on an NSA-developed hacking tool called ‘Eternal Blue’. The rapid, global spread of WannaCry was eventually thwarted when UK security researcher Marcus Hutchins registered and took over the domain that was written into the ransomware’s core code.


The recent NCSC investigation has concluded that WannaCry was made and distributed by the North Korea-based hacking group known as Lazarus. This is believed to be the same group that targeted Sony Pictures with a hack in 2014 over the release of the film ‘The Interview’ that satirised the North Korean leadership. The Lazarus group is also believed to have targeted a South Korean supermarket chain.


It is believed that the WannaCry ransomware attack was indiscriminate, and the fact that the (old) NHS systems were particularly badly affected may have made it appear that it was targeted.


Initial reports from cyber security experts ruled out Russian-based hackers and focused on the fact that the code showed that it may have been created on a machine in a +9 GMT timezone.

A study and reverse-engineering of the WannaCry code, combined with some overlaps with previous code developed by the Lazarus group, plus taking into account wider evidence gathered by GCHQ’s NCSC, have led experts to confirm that WannaCry was the product of the North Korean Lazarus group. It is believed that America’s NSA did not contribute heavily to the investigation because the U.S. was not hit as badly as the UK by the attack.

Was It Worth It?

The motivation of the group has been called into question since the amount of ransom paid by victims is thought to only have been around £40,000, and none of the money has been collected by the group. Also, unlike many other hacking groups, Lazarus doesn’t claim responsibility for its attacks, does not release communiqués, and does not tweet about its exploits.
IT security commentators have, therefore, concluded that WannaCry is likely to have been an attack that was far more successful and widespread than the group had intended or expected.

What Does This Mean For Your Business?

In the wake of WannaCry’s rapid and extensive spread, Internet and data security, particularly with GDPR due to come into force next year, must surely now be given high priority by businesses and must be championed at board level. The danger and false economy of staying with old operating systems as long as possible was painfully exposed in this attack. For businesses, where an attack comes from is not as relevant and important as knowing that protection is in place.

Businesses need to take a range of measures to ensure that they are well defended against known cyber threats, and prepared for the aftermath, should defences be breached. Preparations could include making sure that all the latest updates and patches are installed on systems and that anti-virus software is up to date, all important data is regularly and securely backed-up, all staff are trained to spot and deal correctly with potential threats, and workable Disaster Recovery and Business Continuity Plans are in place.