WannaCry: Ransom note analysis throws up new clues

Linguistic analysis of ransom notes by Flashpoint suggests the ransomware note writer speaks Chinese - and used Google Translate.
Written by Danny Palmer, Senior Writer

Researchers suggest some of the language in the original ransom note contain regional Chinese dialects

Image: iStock

As the world works towards identifying the perpetrators of the WannaCry ransomware campaign, one group of cybersecurity researchers says they've likely determined the native language of the writer of the ransom note, another potential step towards attributing the attack.

A number of cybersecurity firms have tentatively linked the attack to North Korea, but now analysis of WannaCry ransom notes in 28 languages by researchers at Flashpoint has led them to the conclusion that those behind the ransomware text are likely Chinese speaking.

Analysis of the ransom notes found that only the Chinese versions, both simplified and traditional, and the English versions, are likely to have been composed by a someone who spoke those languages.

Researchers suggest that minor errors in the Chinese ransom note mean it was typed using a Chinese-language input system.

Meanwhile, while the English language note is said to have been written with someone with a "strong command" of English, a grammatical error in the note suggests the author is not a native English speaker.

The other 25 ransom notes - in languages including Russian, Spanish, Turkish and Korean - have all been translated using Google Translate, with the English language version of the ransom demand used as the source text for machine translation.

However, when researchers tested the text with Chinese-English and English-Chinese translations, the results were inaccurate, further suggesting that the Chinese note wasn't developed by using machine translation from English.

Other signs also point to a Chinese author; for example, one term for "week" is more common in South China, Hong Kong and Taiwan, while the term used for anti-virus is more common the Chinese mainland.

In addition to all of this, researchers note that the Chinese ransom demand is longer than those of other languages, with additional content and a differing format, again suggesting that it is written by someone who could speak the language.

Overall, linguistic analysis of the notes lead Flashpoint to conclude "with moderate confidence" that the Chinese ransom note was written by a fluent Chinese speaker and served as the original source for the English version, which was then used as the basis of machine translation for other notes.

Researchers therefore suggest that it's highly possible that Chinese is the authors' native tongue. However, they also suggest that it isn't possible to rule out misdirection on behalf of the attackers, who might have used the machine translation to hide their native language.

Some security firms have linked the cyberattack to the Lazarus group, a hacking operation connected to a number of high-profile cyberattacks in recent years including the $80m Bangladeshi cyber bank heist, as well as attacks against financial institutions, banks, casinos, and systems used by software developers for investment companies around the world.

Researchers at Symantec say there are similarities between code linked to these Lazarus campaigns and the code behind the WannaCry ransomware outbreak, which they suggest means the two campaigns could be linked to the same author.

While some say the Lazarus hacking group works on behalf of North Korea, the group is actually believed to operate out of China, something which would lend weight to Flashpoint's conclusions that the authors are fluent in Chinese.

However, there's also the possibility that a group which just happen to have members who are fluent in Chinese are writing notes in the language to throw authorities off the scent.

The WannaCry ransomware epidemic hit over 300,000 PCs around the globe, using worm-like capabilities to spread and infect Microsoft Windows machines, particularly those using older operating systems.

While most of the affected organisations have now returned to normal, some are still recovering almost two weeks on from the outbreak.


Editorial standards