Linguistic analysis shows WannaCry ransom notes written by southern Chinese, says US intelligence firm

Staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul on May 15, 2017.
Staff monitoring the spread of ransomware cyber-attacks at the Korea Internet and Security Agency (KISA) in Seoul on May 15, 2017.PHOTO: AFP

The WannaCry Malware that affected as many as 300,000 computers worldwide are likely authored by hackers from southern China, Hong Kong, Taiwan or Singapore, said a US intelligence company.

The attacks discovered earlier in May caused havoc in global computer networks, affecting as many as 150 countries and disrupting governments and several industries.

Infected systems were locked down with a note demanding a ransom, written in 28 different languages.

Nearly all the ransom notes were translated using Google Translate, except for the ones in English, traditional Chinese and simplified Chinese, said Flashpoint, which provides business-risk intelligence.

These appeared to have been written by a human, it said.

"Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggests the speaker is non-native or perhaps poorly educated," Flashpoint wrote in an analysis published on its website on May 25.

The error was "But you have not so enough time".

The English note also omits a few phrases from the Chinese notes, but it was used as the source text for machine translation into the other languages, it added.

The Chinese notes, meanwhile, were fluent and appeared to be written by a native speaker.

They contained a typo in the phrase meaning "help" ("bang zhu"), indicative of Chinese language input.

The note also used a term for "week" ("li bai") that is more common in south China, Hong Kong, Taiwan and Singapore, Flashpoint said.

It used a phrase for "anti-virus" ("sha du ruan jian") that is more common in the Chinese mainland.

But a Chinese language professor disputed this.

Dr Zhang Kefeng, a professor of Chinese language at Jimei University in Xiamen, told the South China Morning Post that "li bai" is also used in northern China.


"It is difficult to spot geographical differences in written Chinese nowadays, especially among educated people," he said.

Comparisons between the Google-translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, Flashpoint said.

Cyber security experts had earlier linked the worm to North Korea after finding similarities to other malware families believed to be developed by North Korean hackers.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group's previous activity and in early versions of WannaCry.

However, it concluded that the WannaCry attacks "do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign".

Others had doubted the link as the attack seemed less sophisticated than those carried out by the North Korean linked Lazarus Group.

Various estimates showed the "ransom" raised amounted to a paltry US$116,000 (S$160,000) from 302 entities more than a week after computers were locked down.

Mr James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was "barely functional" and spread widely only because of the large number of networks and computers which failed to upgrade security.

The hackers known as Lazarus are a sophisticated cybermercenary group, Mr Scott told AFP.

"They use elaborate traps, obfuscation techniques and wipers to eliminate digital footprints. This (WannaCry) has none of that."

More likely, Mr Scott said, is that the attacks were carried out by hackers from China's People's Liberation Army "moonlighting" in their spare time.