The ransom note used in the disruptive “WannaCry” malware was likely to have been written by a fluent Chinese-speaker, according to security analysts, providing the latest clue to who may have been behind it.
WannaCry spread more widely than other ransomware due to its use of two Windows vulnerabilities that were allegedly discovered by US national security services and were made public only recently, meaning many large organisations hadn’t yet patched their systems.
Some researchers have suggested a link with North Korea-backed hackers known as “Lazarus Group”, due to similarities in the code and infrastructure used, while others have said the connections aren’t close enough to be definitive.
Now an analysis by Flashpoint has found that the note included with the malware was almost certainly written by a native or fluent speaker of the Chinese used in southern China, Hong Kong, Taiwan, or Singapore.
The others appear to have been translated from the English note, which seems likely to have been based in turn on the Chinese version, Flashpoint said.
“Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese,” the company said in an advisory. “Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native.”
The researchers noted that the Chinese note used proper grammar, punctuation, syntax and character choice.
It also included a typographical error that suggested the note was written using a Chinese-language input system.
The English-language note included grammatical errors that suggested the writer was familiar with English, but was a non-native speaker or poorly educated.
But the firm conceded its findings aren’t sufficient to determine the writer’s nationality, and that the clues it found may have been intentionally put there to mislead investigators.
For instance, the Korean-language version of the ransom note was likely to have been machine-translated from the English note, but a Korean writer may have used such a tactic to throw investigators off, Flashpoint said.
WannaCry affected more than 200,000 computers in 150 countries, disrupting government, healthcare and corporate systems.
The outbeak is being investigated by the UK’s National Crime Agency (NCA), the FBI and Europol.
Researchers noted the malware’s authors seem to have gone to ground, having shut down its control servers and not having attempted to retrieve the Bitcoins paid in ransom.
Do you know all about security in 2017? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…