Categories: Malware

Comments (5)

  1. ceretullis

    “He made the mistake of forgetting to change the default language.”

    de los Santos and his team are making the rather bad assumption the attacker “forgot” to change the default language setting away from Korean. It’s quite possible they intentionally crafted metadata as a red herring. I.e. they may have intentionally set the default to Korean.

  2. Haru

    What if the default language had been set to Korean to enforce the theory of the native writing in broken Korean. Hopefully they were sloppy but maybe they were bigger masterminds than it would appear…

  3. Ssantos

    @ceretullis. Maybe, who knows. Please, read the original post. Attribution is risky. Anyway, korean is set as default since Wannacry version 1.0 in March, which was a “regular” and even unpopular ransomware back then, and with a note written only in English.

    • ceretullis

      @Ssantos I read the original post. With the evidence available to you, it’s possible to draw some tantalizing deductions.

      For example, assuming the creator is not very skilled since there were no analysis counter measures. This leads you to believe he’s making mistakes when leaving metadata. Which leads you to believe you can draw reasonable conclusions from the metadata.

      Attribution based on this kind of metadata is not simply “risky” it is reckless. Matadata can be crafted to paint whatever picture an attacker wants.

      Unless you can corroborate the metadata with other reliable intelligence… you really have nothing but reckless speculation.

  4. Ssantos

    I agree. In the original post, that is what we try to do: corroborate with other intelligence… Anyway I fully agree again. Since it is a reckless exercise and speculation about intentional or mistakes… we are all just as right or wrong in the same way :). The important fact is that the language was set, and times in files and zips were those… if it helps to get to any other conclusion is up to every one of us. We will definitly need more hints.


Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>