The WannaCrypt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis.
WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google Translate, according to Flashpoint.
Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.
Flashpoint found that the English note was used as the source text for machine translation into the other languages.
The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. This means they were likely that the Chinese text was put together separately from the English text and by someone who is at least fluent in Chinese if not a native speaker. The Chinese note is longer than the English note, containing content absent from other versions of the shake-down message.
The most plausible scenario is that the Chinese was the original source of the English version, say analysts. Flashpoint concludes that the unidentified perps – without speculating on their nationality – are likely to be Chinese speakers.
Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).
Similarities in the code and the infrastructure earlier led to tenuous links being made between the unidentified perps behind WannaCrypt and the infamous North Korean-affiliated Lazarus Group.
Like many high profile hacker attacks before it, such as the Sony Picture hack, many competing theories have arisen about the motives and identity of the WannaCrypt worm’s authors since the malware created havoc worldwide two weeks ago.
An analysis of competing theories by threat intelligence firm Digital Shadows concludes that WannaCrypt was most likely put together by an unsophisticated financially motivated cybercriminal group.
Digital Shadows said it did not discount the possibility that the malware was the work of either more sophisticated cybercriminals or intel agencies, merely ruling that such possibilities are less likely than greedy script kiddies.
By John Leyden