We may never know who the perpetrators of the WannaCry ransomware attack really were. We do know that they utilised an exploit that was part of the NSA's toolkit. We know that the exploit was leaked by a group called The Shadow Brokers. We know the US government is pointing to North Korea. And new research from security firm Flashpoint indicates that there's a connection to Southern China.
In a recent blog post, Flashpoint outlined its linguistic analysis of the ransom notes that were served to Wannacry's victims. Each note basically said the same thing: The victim should transfer a certain number of bitcoins to an account or their data will be permanently lost. But this was a global attack that affected around 100 countries. So the note was distributed in 28 languages.
Flashpoint's researchers have studied the notes and found that whoever the author was, they were likely either "native or at least fluent" in Chinese. They discovered that out of the the 28 different notes, only the English version and the two Chinese character versions (Simplified and Traditional) appear to have been written by a human. All 25 other notes appear to have been translated from the English note using Google Translate.
The English ransom note is almost perfect except for what Flashpoint calls "a glaring grammatical error" that suggests "the speaker is non-native or perhaps poorly educated". The post doesn't point out what that grammatical error is. Looking over the note, there are a few errors but one that stands out is, "But you have not so enough time."
According to Flashpoint, the Chinese notes both contain more information and are different than all the others in content, format and tone. From the post:
A typo in the note, "帮组" (bang zu) instead of "帮助" (bang zhu) meaning "help," strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent.
Google Translate doesn't handle Chinese-to-English or English-to-Chinese translation very well.
All of this has lead Flashpoint to cautiously conclude that "the author(s) of WannaCry's ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore".
But that doesn't tell us much about the hackers. It certainly doesn't mean they are located in China — hackers can work from anywhere. And hackers are known to deliberately misuse language in order to circumvent this kind of analysis. At the same time, the WannaCry hackers have made some noticeably amateur errors that include using a kill switch that made it simple to briefly shut the spread of the ransomware down, and they didn't use an automated system to ensure that a ransom had been paid.
All of this information just adds to the intrigue around WannaCry. Previous research has pointed to the possible involvement of the Lazarus Group, which is believed to be sponsored by North Korea. And the US government as recently as yesterday seems to like that theory. Flashpoint director of Asia-Pacific research Jon Condra tells ThreatPost, "The relationship between North Korea and China, especially in intelligence domains, is probably much more complicated than widely appreciated." He says that this just another data point and rather than contradicting other firm's conclusions, Flashpoint's work just "adds to them".