Researchers have found a linguistic link between WannaCry’s ransom notes and the language used in southern China, Taiwan or Singapore
The ransom note used in the disruptive “WannaCry” malware was likely to have been written by a fluent Chinese-speaker, according to security analysts, providing the latest clue to who may have been behind it.
WannaCry spread more widely than other ransomware due to its use of two Windows vulnerabilities that were allegedly discovered by US national security services and were made public only recently, meaning many large organisations hadn’t yet patched their systems.
Chinese language link
Some researchers have suggested a link with North Korea-backed hackers known as “Lazarus Group”, due to similarities in the code and infrastructure used, while others have said the connections aren’t close enough to be definitive.
Now an analysis by Flashpoint has found that the note included with the malware was almost certainly written by a native or fluent speaker of the Chinese used in southern China, Hong Kong, Taiwan, or Singapore.
Researchers found that of the more than two dozen linguistic versions of the note included with the malware, only the English and the Chinese versions are likley to have been written by humans.
The others appear to have been translated from the English note, which seems likely to have been based in turn on the Chinese version, Flashpoint said.
“Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese,” the company said in an advisory. “Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native.”
The researchers noted that the Chinese note used proper grammar, punctuation, syntax and character choice.
It also included a typographical error that suggested the note was written using a Chinese-language input system.
The English-language note included grammatical errors that suggested the writer was familiar with English, but was a non-native speaker or poorly educated.
But the firm conceded its findings aren’t sufficient to determine the writer’s nationality, and that the clues it found may have been intentionally put there to mislead investigators.
For instance, the Korean-language version of the ransom note was likely to have been machine-translated from the English note, but a Korean writer may have used such a tactic to throw investigators off, Flashpoint said.
The outbeak is being investigated by the UK’s National Crime Agency (NCA), the FBI and Europol.
Researchers noted the malware’s authors seem to have gone to ground, having shut down its control servers and not having attempted to retrieve the Bitcoins paid in ransom.
Do you know all about security in 2017? Try our quiz!