WannaCry creators could be native Chinese speakers

New analysis from Flashpoint churns up evidence that WannaCry ransom notes were written by native Chinese speakers.

Zoey Chong Reporter
Zoey is CNET's Asia News Reporter based in Singapore. She prefers variety to monotony and owns an Android mobile device, a Windows PC and Apple's MacBook Pro all at the same time. Outside of the office, she can be found binging on Korean variety shows, if not chilling out with a book at a café recommended by a friend.
Zoey Chong
2 min read

A new linguistic analysis suggests that WannaCry creators could be native Chinese speakers who are also familiar with the English language.


We are one step closer to identifying WannaCry creators -- or, at least, the languages they speak.

New linguistic analysis emerged from US intelligence company Flashpoint last Friday that points to a native Chinese speaker (or a group of them) as being responsible for the global ransomware attack that hit more than 100,000 organisations in 150 countries earlier this month.

Flashpoint's report examined ransom notes from WannaCry in 28 languages. The company said, given the style and accuracy of the Chinese notes as well as their lengthier formats, it has "moderate confidence" that a native Chinese speaker was the author.

It also suggested that while the English notes were written more accurately than it would otherwise have been if it were machine translated, a "glaring" grammatical error -- "But you have not so enough time" -- indicates the author, though familiar with the English language, is "non-native or perhaps poorly educated."

Ransom notes in other languages were found to be translated from English using Google Translate. When Google translated versions of the English note were compared to those in other languages, they were discovered to be 96 to 100 percent identical.

The attacks have previously been thought to have come from North Korea, thanks to findings from Google security researcher Neel Mehta. Mehta discovered computer code found in an early version of the WannaCry malware that was identical to code used by the Lazarus Group, a hacking group linked to the government of North Korea.

While Lazarus is mostly believed to work for the North Korean government, there is word that the group operates out of China, ZDNet notes.

Special Reports: CNET's in-depth features in one place.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.