May 31, 2017 by

Researchers Find Link Between WannaCry Ransomware and China

Security researchers at Flashpoint have revealed a linguistic analysis of the ransom notes delivered to tens of thousands of WannaCry’s victims around the world.

While a portion of the cybersecurity community has linked the sweeping global WannaCry attack on May 12 to a North Korean hacker group Lazarus, a recent analysis by Flashpoint researchers dug further.

The unprecedented ransomware campaign struck over 100 countries around the world, with ransom notes delivered to victims in 28 different languages. However, researchers soon deduced that nearly all of the ransom notes, except the English version and the Chinese versions (Simplified and Traditional), were machine-translated via Google Translate. So, only two broad languages were written by a human. The rest, researchers summed up, were Google-translated versions of the English note.

However, there was a giveaway.

The researchers wrote:

Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native, or perhaps poorly educated.

Meanwhile, the two Chinese ransom notes differed “substantially” from each other, in “content, format and tone,” according to the researchers.

Pointing to a number of unique characteristics in the note, they see it penned by a fluent Chinese speaker.

They added:

A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent. 

The most compelling evidence is that of the Chinese note which contains “substantial” content that isn’t present in any of the other ransomware notes. Enough for the researchers to conclude “with high confidence” that the authors of the ransomware notes are fluent in Chinese, particularly in the Southern China, with language commonly found in Hong Kong, Taiwan or Singapore.

Image credit: Pixabay

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

26% of Ransomware Attacks Target Corporate Businesses

New research from Kaspersky Lab has revealed that the number of ransomware attacks targeting...

Read more arrow_forward

The UK’s NHS Toughens Cybersecurity Defenses after WannaCry Ransomware

The United Kingdom’s National Health Service (NHS) is set to spend £20 million on a new security...

Read more arrow_forward

Ransomware Payments to Hit a Record $2 Billion in 2017: Research

According to new research from a cybersecurity firm, ransomware payments will hit a high of $2...

Read more arrow_forward