The WannaCry ransomeware that's swept through nearly a quarter million computers worldwide, encrypting valuable data and demanding payment before it is decrypted, was likely created by native Chinese speakers, according to new research by the cybersecurity firm Flashpoint.
Even if cybersecurity isn't your area, you likely know that over the past two weeks a nasty bit of ransomware named WannaCry created havoc for companies, universities, and even hospitals around the world. It's affected 230,000 computers in 150 countries so far. With security firms alerted and Microsoft rushing to provide a patch (Wannacry exploits a vulnerability in the Windows operating system), the attack seems to be waning for now. But security experts warn that another, worse attack may be coming soon.
Who launched this computer worm into the world? Security companies and law enforcement have so far been unable to identify the hackers, or even what country they're in. Some early researchers noted coding similarities between WannaCry and North Korea's "Lazarus Group" of hackers but since any programmer can re-use source code, that doesn't pin things down very much.
But now, researchers at the security firm Flashpoint have conducted extensive analysis on the ransomware, using human languages instead of computer languages, and they've pinned down the likely nationality of the hacker or hackers who created WannaCry.
Ransomeware, of course, only works if the people whose computers are attacked can read and obey the instructions for sending money to the hackers, and so WannaCry's ransom note appeared on computers in a total of 28 different languages.
But Flashpoint researchers announced, "Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated." The researchers further determined that it was the English version of the ransom note that was used with Google Translate to create all the other versions using a simple test: They put the English version of the note through Google Translate themselves, and compared the results to the 25 other versions of the note. The results were identical or near-identical.
So how do the researchers know that the culprit or culprits speak Chinese? For one thing, there are a few extra phrases that appear in the Chinese versions but not any other version, suggesting that the note was originally drafted in Chinese, then translated into English and fed into Google Translate from there. A human-style typo in the Chinese version makes it seem that it was drafted directly in that language rather than translated from another language.
It also seems likely that a human rather than a piece of software translated the note from Chinese to English since using Google Translate for the job did not result in similar text to the English version of the note. And then there's this: "We guarantee that you can recover all your files safely and easily. But you have not so enough time." It's pretty clear that last sentence was never written by a native English speaker.
And so, a picture emerges of a hacker or hackers who speak Chinese as their native language and are fluent but not perfect in English as a second language. But Flashpoint researchers think they may know even more.
"The text uses certain terms that further narrow down a geographic location," they write. "One term, '??' for 'week,' is more common in South China, Hong Kong, Taiwan, and Singapore; although it is occasionally used in other regions of the country. The other '?