Forensic linguistic analysis of wannacry points to Southern China
The WannaCry malware hacked crucial data and in return asked a ransom for its restoration.
Almost all the ransom notes were translated using Google Translate, except for the ones in English, traditional Chinese and simplified Chinese, said Flashpoint, which provides business-risk intelligence. Interestingly, though, the WannaCry ransom message in Chinese and English appeared to be written by a human.
According to the report, experts from a United States company Flashpoint carried out a linguistic analysis of the code and found out that the malware had been written by native Chinese-speaking people with southern accents. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent.
“A typo in the note, bang zu (幫組) instead of bang zhu (幫助), which means “help”, strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version”, the report said. A new ransomware note analysis conducted by the U.S. intelligence company Flashpoint hints at a native Chinese speaker. Google Translate fails in both Chinese-English and English-Chinese tests, producing inaccurate results that suggests the Chinese text was likely not have been similarly generated by the English text. “One term, libai (禮拜) for ‘week, ‘ is more common in southern China, Hong Kong, Taiwan, and Singapore”.
However, Chinese language professor Zhang Kefeng, of Jimei University in Xiamen, Fujian province, remained unconvinced about Flashpoint’s conclusions.
“It is hard to spot geographical differences in written Chinese nowadays, especially among educated people”. The company went through ransom notes in 28 languages, and it found that the accuracy and style of Chinese ransom notes had “moderate confidence”.
Earlier, a USA software company Symantecm said North Korean hackers could have been behind the WannaCry ransomware attack.
“Libai is not just used in southern China”. While most of the organisations have recovered from the attack, some are still under the siege.
Others had doubted the link as the attack seemed less sophisticated than those carried out by the North Korean linked Lazarus Group.
WannaCry affected more than 300,000 PCs around the world with its worm-like ability to infect Microsoft Windows machines, specifically the ones on older Windows versions.
Mr James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was “barely functional” and spread widely only because of the large number of networks and computers which failed to upgrade security.
The two Chinese ransom notes differ substantially from other notes in content, format, and tone.