May 31, 2017 by

Researchers Find Link Between WannaCry Ransomware and China

Security researchers at Flashpoint have revealed a linguistic analysis of the ransom notes delivered to tens of thousands of WannaCry’s victims around the world.

While a portion of the cybersecurity community has linked the sweeping global WannaCry attack on May 12 to a North Korean hacker group Lazarus, a recent analysis by Flashpoint researchers dug further.

The unprecedented ransomware campaign struck over 100 countries around the world, with ransom notes delivered to victims in 28 different languages. However, researchers soon deduced that nearly all of the ransom notes, except the English version and the Chinese versions (Simplified and Traditional), were machine-translated via Google Translate. So, only two broad languages were written by a human. The rest, researchers summed up, were Google-translated versions of the English note.

However, there was a giveaway.

The researchers wrote:

Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native, or perhaps poorly educated.

Meanwhile, the two Chinese ransom notes differed “substantially” from each other, in “content, format and tone,” according to the researchers.

Pointing to a number of unique characteristics in the note, they see it penned by a fluent Chinese speaker.

They added:

A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent. 

The most compelling evidence is that of the Chinese note which contains “substantial” content that isn’t present in any of the other ransomware notes. Enough for the researchers to conclude “with high confidence” that the authors of the ransomware notes are fluent in Chinese, particularly in the Southern China, with language commonly found in Hong Kong, Taiwan or Singapore.

Image credit: Pixabay

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Robots are Now Vulnerable to Ransomware Attacks

Security researchers have put the spotlight on malware affecting humanoid robots with the first...

Read more arrow_forward

Free Decryption Tool Brings Respite to Victims of Aggressive Ransomware

A new and unusual family of ransomware has met its match after a ransomware tool backed by Europol...

Read more arrow_forward

Ransomware is ‘Modern-Day Extortion’, Says McAfee CEO

The chief executive of cybersecurity firm McAfee has labelled ransomware as the modern day answer to...

Read more arrow_forward