Linguistic Analysis Suggests WannaCry Hackers Could be From Southern China

It’s been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet.

However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to ‘Lazarus Group,’ a state-sponsored hacking group believed to work for the North Korean government.

Now, new research from dark web intelligence firm Flashpoint indicates the perpetrators may be Chinese, based on its own linguistic analysis.

Flashpoint researchers Jon Condra and John Costello analyzed each of WannaCry’s localized ransom notes, which is available in 28 languages, for content, accuracy, and style, and discovered that all the notes, except English and Chinese versions (Simplified and Traditional), had been translated via Google Translate.

According to the research, Chinese and English versions of the ransomware notes were most likely written by a human.

On further analysis, researchers discovered that the English ransom note contains a “glaring” grammatical error, which suggests the ransomware author may be a non-native English speaker.

“Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.”

And since Google Translate does not work good at translating Chinese to English and English to Chinese, and often produces inaccurate results, the English version could be written for translating the ransom note into other languages.

Read more…