WannaCry creators could be Chinese
US intelligence company analysed language used in ransom notes
The WannaCry Malware that affected as many as 300,000 computers worldwide was likely authored by hackers from southern China, Hong Kong, Taiwan or Singapore, said a US intelligence company.
The attacks discovered earlier this month caused havoc in global computer networks, affecting as many as 150 countries and disrupting governments and several industries.
Infected systems were locked down with a note demanding a ransom, written in 28 different languages.
Nearly all the ransom notes were translated using Google Translate, except for the ones in English, traditional Chinese and simplified Chinese, said Flashpoint, which provides business-risk intelligence.
These appeared to have been written by a human, it said.
"Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggests the speaker is non-native or perhaps poorly educated," Flashpoint wrote in an analysis published on its website last Thursday.
The error was in the line "But you have not so enough time".
The English note also omits a few phrases from the Chinese notes, but it was used as the source text for machine translation into the other languages, it added.
...the WannaCry attacks “do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.
The Chinese notes, meanwhile, were fluent and appeared to be written by a native speaker.
They contained a typo in the phrase meaning "help" (bang zhu), indicative of Chinese language input.
The note also used a term for "week" (li bai) that is more common in south China, Hong Kong, Taiwan and Singapore, Flashpoint said.
It used a phrase for "anti-virus" (sha du ran jian) that is more common on the Chinese mainland. But a Chinese language professor disputed this.
Dr Zhang Kefeng, a professor of Chinese language at Jimei University in Xiamen, told the South China Morning Post that "li bai" is also used in northern China.
"It is difficult to spot geographical differences in written Chinese nowadays, especially among educated people," he said.
Comparisons between the Google-translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, Flashpoint said.
Cybersecurity experts had earlier linked the worm to North Korea after finding similarities to other malware families believed to be developed by North Korean hackers.
Symantec researchers said they had found multiple instances of code that had been used in the North Korea-linked group's previous activity and in early versions of WannaCry.
However, it concluded that the WannaCry attacks "do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign".
Others had doubted the link as the attack seemed less sophisticated than those carried out by the North Korean-linked Lazarus Group.
Various estimates showed the "ransom" raised amounted to a paltry US$116,000 (S$160,000) from 302 entities more than a week after computers were locked down.
Mr James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was "barely functional" and spread widely only because of the large number of networks and computers which failed to upgrade security. - THE STRAITS TIMES