Beijing, schools and government offices hit by Ransomware ... of North Korean origin (maybe)

Over 10,000 schools and colleges hit. License distribution and credit card payment at service stations blocked. Suspicions settle on Lazarus group who work in China are under North Korea.

Beijing (AsiaNews / Agencies) - China is among the countries most affected by the Ransomware cyberattack, suspected of having a North Korean origin. About 30,000 IP addresses were hit by the virus that "seized" all the files on a computer and demanded a ransom of $ 300 to release them.

The attack hit at least 10,000 school institutions, especially universities. Among them, the South West University, which suffered paralysis of the internal network and payment system with student cards.

The government offices worst affected include the department for motor vehicles, housing loans, etc. Many offices have had to suspend services and update their systems, while driving licenses were suspended in many cities.

Even China National Petroleum Corp's service stations were hit the putting the credit card and online payment system out of use. The company said that at least 80% of its stations have now resumed normal activities.

China is the most affected because it is the nation with the greatest number of Internet users - about 700 million - and perhaps - as experts say - because computers are not updated and suffer from poor maintenance.

But there is another reason: China may be the most affected because it was the first to be in the hacker's sights. Security experts point out that the date marked on the original Ransomware code is UTC + 9, that is, the Beijing time zone, and the text demanding a ransom, while in English, has a part written in Chinese.

Suspects focus on a group called "Lazarus," responsible for hacking Sony in 2014 and a Bangladeshi bank in 2016. Many think that the Lazarus group is based in China but works in  for North Korea.

Other security companies are doubtful: the link with North Korea is not so obvious, nor the one to Lazarus of the latter attack. It is also possible that hackers have simply copied the virus from previous Lazarus attacks.

The virus exploits some vulnerabilities in the Microsoft Windows program. Last March, the company issued a corrective update, but most likely not everyone updated their system. Yesterday Microsoft also accused the national security agencies of being superficial and asked governments to point out computer vulnerabilities to sellers rather than storing them, selling them, or exploiting them for possible cyber-wars.