Threat Management, Malware, Ransomware

Analysis suggests WannaCry ransom note is native Chinese-speaker

As if attribution efforts surrounding the May 2017 WanaCrypt0r/WannaCry ransomware attack weren't already convoluted...

A new report asserts with high confidence that the author of the WannaCry ransom note probably speaks fluent Chinese, adding a new layer of intrigue to an investigation that has already turned up malware code linked to an alleged North Korean threat group as well as clues suggesting the possible involvement of Russian cybercriminals.

Dark web intelligence firm Flashpoint, which released the report on Thursday, went so far as to theorize that Chinese is most likely the note author's native tongue, based on its own linguistic analysis.

Moreover, Flashpoint has concluded that the ransom note is original, having found no matches to past attacks. The note is translated into 28 different languages, apparently via the Google Translate service. Of these 28 translations, three stand out as unique: the simplified and traditional Chinese versions, and the English version.

According to the report, the Chinese notes contain "substantial content not present in any other version of the note," plus they are longer and formatted differently. In an interview with SC Media, Jon Condra, director of Asia Pacific Research at Flashpoint, further elaborated that the Chinese note had several unique turns of phrase that added flourish and color to the threat. Phrases that only appear in the Chinese version include "Please relax. I absolutely will not scam you." and "Even the coming of God cannot restore these documents."

The Chinese note also uses proper grammar, punctuation, syntax, and character choice, Flashpoint notes – all of which indicates that the writer is highly familiar with the written Chinese language.

But the biggest hint that an actual person wrote the note in Chinese without machine translation was a typo found in a word that seemingly meant to say "help," but instead read like a nonsense word. Such an error is indicative of using a Chinese-language input system. "Automated translations will not make that mistake," said Condra.

Such a discovery adds new context to the narrative of who is responsible for the WannaCry attack, although Condra noted that the findings do not necessarily clash with other recent research reports that cited North Korean hacking tools and malware code. "I don't think it's a complete curveball," said Condra.

For instance, while Symantec Corporation recently reported that it found strong ties between WannaCry and the Lazarus Group – an APT that allegedly acts on behalf of North Korea – its researchers shied away from accusing the nation-state of the attack. Rather, Symantec theorizes that the attack was likely the work of inexperienced cybercriminals who had access to Lazarus tools.

SC Media's own Peter Stephenson also recently cited intelligence that the attack was cybercriminal in nature. While his intel pointed toward Russian actors, Flashpoint's linguistic analysis would suggest that it is more likely that the perpetrators are Asian, though nothing is for certain and use of language doesn't necessarily indicate one's nationality.

"We don't know a lot about the Lazarus Group," said Condra. "It could have been Chinese members, it could be North Korean members who speak Chinese. It's believed that a North Korean hacker group operates out of Northwestern China," as well as Malaysia and other Asian countries, he continued.

Flashpoint also suspects that the English version of the note borrows from the Chinese version, but was also written by a human with a "strong command" of the language, despite a major typo that suggests English might be a secondary language for the author.

All of the other language versions of the note appear to be translated from the English version. Flashpoint notes that comparisons between the English note and various Google translated versions of the note "yielded nearly identical results, producing a 96 percent or above match."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.