Linguistic analysis of WannaCry ransomware points to native Chinese speakers

Maybe it wasn't North Korea, after all?

A linguistic analysis of the WannaCry ransom note indicates that the malware was designed by native Chinese speakers, and the use of Google Translate in order to translate the ransom note into multiple languages.

The analysis was carried out by security intelligence group Flashpoint, who examined the ransom notes in 28 different languages, including both simplified and traditional Chinese, English, Japanese, Russian, Vietnamese and Filipino.

"Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (simplified and traditional), are likely to have been written by a human instead of machine translated.

"Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

According to Flashpoint, it appears as though the English version was used as the basis for the translation into other languages. However, the two Chinese ransom notes differed "substantially" from the other notes in both "content, format, and tone".

It continues: "More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely fluent or at least native. There is, however, at least one minor grammatical error which may be explained by auto-complete, or a copy-editing error."

Indeed, the use of certain terms narrows down the location to South China, Hong Kong, Taiwan or Singapore, although the term used for anti-virus points to the Chinese mainland, suggest Flashpoint.

Most compelling of all, it adds, the Chinese note contains extra content not present in other versions of the note, and differs slightly in format.

"It is possible that Chinese is the author's native tongue, though other languages cannot be ruled out. It is also possible that the malware author intentionally used a machine translation of their native tongue to mask their identity," conclude Flashpoint.

It adds: "It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead."

The analysis runs contrary to claims by Symantec linking the ransomware outbreak with Lazarus, a group linked to North Korea. Those claims drew fire from a researcher at the Institute for Critical Infrastructure Technology, who claimed that the evidence linking WannaCry with Lazarus and North Korea wasn't as strong as Symantec had suggested.