Security Firm Discovers Link Between WannaCry Ransomware and Southern China
We may never know who the perpetrators of the
In a recent
, Flashpoint outlined its linguistic analysis of the ransom
Flashpoint's researchers have studied the notes and found that whoever the author was, they were likely either "native or at least fluent" in Chinese. They discovered that out of the the 28 different notes, only the English version and the two Chinese character versions (Simplified and Traditional) appear to have been written by a human. All 25 other notes appear to have been translated from the English note using
The English ransom note is almost perfect except for what Flashpoint calls "a glaring grammatical error" that suggests "the speaker is non-native or perhaps poorly educated." The post doesn't point out what that grammatical error is. Looking over the note, there are a few errors but one that stands out is, "But you have not so enough time."
According to Flashpoint, the Chinese notes both contain more information and are different than all the others in content, format, and tone. From the post:
A typo in the note, "帮组" (bang zu) instead of "帮助" (bang zhu) meaning "help," strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent.
Google Translate doesn't handle Chinese-to-English or English-to-Chinese translation very well.
All of this has lead Flashpoint to cautiously conclude that "the author(s) of WannaCry's
But that doesn't tell us much about the hackers. It certainly doesn't mean they are located in China-hackers can work from anywhere. And hackers are known to deliberately misuse language in order to circumvent this kind of analysis. At the same time, the WannaCry hackers have made some noticeably amateur errors that include using a kill switch that made it simple to briefly shut the spread of the ransomware down, and they didn't use an automated system to ensure that a ransom had been paid.
All of this information just adds to the intrigue around WannaCry. Previous research has pointed to the possible involvement of the Lazarus Group, which is believed to be sponsored by North Korea. And the US government as recently as yesterday seems to like that theory . Flashpoint director of Asia-Pacific research Jon Condra tells ThreatPost , "The relationship between North Korea and China, especially in intelligence domains, is probably much more complicated than widely appreciated." He says that this just another data point and rather than contradicting other firm's conclusions, Flashpoint's work just "adds to them."