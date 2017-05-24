Claims by Symantec earlier this week that the WannaCry ransomware is the work of a North Korean group called Lazarus have been labelled "premature, inconclusive and distracting", by the Institute for Critical Infrastructure Technology (ICIT).

"The recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing," warned James Scott, a senior fellow at the ICIT.

He continued: "Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat; in fact, an abundance of evidence suggests that the Lazarus Group may be a sophisticated, well-resourced, and expansive cyber-criminal and occasional cyber-mercenary collective."

Indeed, the speed with which the ransomware took hold - raising its profile and, therefore, victims' reluctance to pay-up, as well as piquing the interest of law enforcement worldwide - combined with a series of coding shortcomings that made it easy to defeat, indicate that WannaCry wasn't the work of the most technically accomplished of malware writers.

Scott continued: "Circumstantial similarities between malware variants and command-and-control infrastructure led to the recent attribution of WannaCry to Lazarus despite a sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics, and severe variations in the operational procedures of the actors.

"At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to command and control servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cyber-criminal Lazarus advanced persistent threat," Scott suggests.

Scott also criticised Symantec's met