Analysis of the ransom notes found that only the Chinese versions, both simplified and traditional, and the English versions, are likely to have been composed by a someone who spoke those languages.
Researchers suggest that minor errors in the Chinese ransom note mean it was typed using a Chinese-language input system.
Meanwhile, while the English language note is said to have been written with someone with a "strong command" of English, a grammatical error in the note suggests the author is not a native English speaker.
The other 25 ransom notes - in languages including Russian, Spanish, Turkish and Korean - have all been translated using Google Translate, with the English language version of the ransom demand used as the source text for machine translation.
However, when researchers tested the text with Chinese-English and English-Chinese translations, the results were inaccurate, further suggesting that the Chinese note wasn't developed by using machine translation from English.
Other signs also point to a Chinese author; for example, one term for "week" is more common in South China, Hong Kong and Taiwan, while the term used for anti-virus is more common the Chinese mainland.
In addition to all of this, researchers note that the Chinese ransom demand is longer than those of other languages, with additional content and a differing format, again suggesting that it is written by someone who could speak the language.
Overall, linguistic analysis of the notes lead Flashpoint to conclude "with moderate confidence" that the Chinese ransom note was written by a fluent Chinese speaker and served as the original source for the English version, which was then used as the basis of machine translation for other notes.
Researchers therefore suggest that it's highly possible that Chinese is the authors' native tongue. However, they also suggest that it isn't possible to rule out misdirection on behalf of the attackers, who might have used the machine translation to hide their native language.
Some security firms have linked the cyberattack to the Lazarus group, a hacking operation connected to a number of high-profile cyberattacks in recent years including the $80m Bangladeshi cyber bank heist, as well as attacks against financial institutions, banks, casinos, and systems used by software developers for investment companies around the world.
Researchers at Symantec say there are similarities between code linked to these Lazarus campaigns and the code behind the WannaCry ransomware outbreak, which they suggest means the two campaigns could be linked to the same author.
While some say the Lazarus hacking group works on behalf of North Korea, the group is actually believed to operate out of China, something which would lend weight to Flashpoint's conclusions that the authors are fluent in Chinese.
However, there's also the possibility that a group which just happen to have members who are fluent in Chinese are writing notes in the language to throw authorities off the scent.