A linguistic analysis of more than two dozen ransom notes displayed by the WannaCry ransomware suggests that its authors are fluent Chinese speakers and they also appear to know English.
Researchers at threat intelligence firm Flashpoint have analyzed 28 WannaCry ransom notes, including ones written in Chinese (both simplified and traditional), Danish, Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Norwegian, Portuguese, Romanian, Russian, Spanish, Swedish and Turkish.
The linguistic analysis showed that there are significant differences between the notes written in Chinese and the ones written in other languages. Evidence suggests that the Chinese note, which mostly uses proper grammar, punctuation and syntax, was actually written with a Chinese-language keyboard.
One of the words used in the Chinese note is more common in South China, Hong Kong, Singapore and Taiwan, while another term is more widely used in mainland China.
Experts pointed out that the note written in Chinese includes a significant amount of content that is not present in other versions, and they believe it may have served as the source for the English version.
The English note is also well written, but it contains a major grammar mistake that suggests its author is either not a native speaker or possibly someone who is not well educated.
Flashpoint has determined that the English note has been used to translate the text into other languages using a service such as Google Translate. Tests conducted by researchers show that there is a match of at least 96 percent between the WannaCry notes and Google-translated versions of the English message.
While WannaCry may have been developed by more than one individual, Flashpoint said with high confidence that the Chinese-language ransom note was written by someone who is fluent in Chinese. The English note was written by someone who knows English, but does not appear to be a native speaker, the company said.
“Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out,” Flashpoint said. “It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”
While security firms such as Symantec and Kaspersky presented evidence linking WannaCry to North Korea, Cybereason questioned the apparent connection, pointing to differences in tactics and the fact that two of the most impacted countries, Russia and China, are North Korea’s biggest allies.
Researchers at Flashpoint are not the only ones who mentioned China. James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, also believes the attack may have been conducted by hackers from China’s People’s Liberation Army “moonlighting” in their spare time, or freelance Chinese hackers hired by Pyongyang.