Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
Shadow Brokers would just be joining the long line of black market 0day sellers in the so called cyber-arms market. What is novel about them is their sources, and the impact is not more exploits in the wild, the impact is arguably whether their exploit lessens the efficacy of the NSA and the other agencies that they have stolen exploits from. But, we also know those same agencies have been buying exploits on the black market and from legit exploit sellers like ZERODIUM, Vupen, HackingTeam, etc… for years.
“There a several signs that suggest the authors of the first observed instance of WannaCry are not amateurs and that the kill switch was likely not inadvertent. Primarily among them is the absence of the practice of using auto-generated-round-robin-domains for this type of C2 (command & control) activity. But even further pointing to this new variant not being attributable to the original authors is that the new variant is a patched version of the old malware not a recompiled version. This is a key distinction in that whoever removed the kill switch did not have access to the source code.
“Speculation about North Korea somehow being involved will be hard to prove even circumstantially. Bureau 121 and No. 91 Office, the two North Korean cyberwarfare agencies that are known to engage in this type of behavior tend to reuse portions of their code, which has allowed us to at least speculate their involvement. In this case, much of the code was stolen from the NSA making it harder to trace the origins of Wannacry. What do definitively know however, is that a manual human operator must activate decryption from the Tor C2, which means it is unlikely that the perpetrators ever intended to unlock victims files.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.