Researchers from Flashpoint, a business risk intelligence company, have determined the ‘native tongue’ of the authors of WannaCry originate in China. Their analysis of the malware examined the content, accuracy and style of the 28 different languages within the program’s ransom notes. These notes were written in numerous disparate languages ranging from English and French to Japanese, Russian and Turkish.
According to the Flashpoint researchers, “Since the May 12, 2017, ‘WannaCry’ ransomware worm attack, researchers have struggled with the question of attribution. A number of researchers have linked the activity to the suspected North Korean-affiliated ‘Lazarus Group’ due to similarities in the code and the infrastructure.”
However, their linguistic analysis revealed that nearly all of the notes were translated using Google Translate and only three – the English and Chinese (Traditional and Simplified) – versions are likely to have been written by a native hand. According to the researchers, a ‘glaring grammatical error’ in the English note points to the conclusion that the author is either a non-native speaker or is poorly educated. The Flashpoint team also found that the English note was used as the source for translating the other versions, at least a 96% or above correlation between the words.
However, the researchers went further, claiming that the two Chinese notes notes were not translated from the English source, as they fail in English-Chinese and Chinese-English tests for cohesiveness. Even more damning are the Chinese notes’ use of proper spelling (for all except one typo where ‘bang zhu’ or ‘help’ is misspelled), grammar and character choice. The researchers said that this indicated, “the writer was likely native or at least fluent”.
The team were able to tighten the net even further however, as the Chinese notes also contain hints to regional tongues. One term for ‘week’ is more common in South China, Hong Kong, Taiwan and Singapore, although it can be used in other parts of the country. Another for ‘anti-virus’ is more commonly used on the Chinese mainland. Most compelling is the depth to which the Chinese notes go – containing considerably more information than all of the other texts.
The team said: “Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore.” The researchers conceded however that this evidence is not enough to determine the creator of WannaCry, as other options such as deliberately masking their tongues using Google Translate ‘cannot be ruled out’.