Chinese-speaking cyber criminals may have been behind the WannaCry ransomware virus that swept across the world earlier this month, according to researchers from business risk intelligence firm Flashpoint.
They found that only the Chinese and English versions of the ransom demand the malware displayed contained proper grammar and punctuation, suggesting the writer was at least fluent in Chinese.
Other versions of the ransom note appeared to have been translated using simple online tools such as Google Translate, the researchers found.
“Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated,” the researchers note.
They said the language used by the hackers behind the attack appeared to be “consistent with that of Southern China, Hong Kong, Taiwan or Singapore”.
The virus, which hit major businesses and public bodies including the UK’s National Health Service and French carmaker Renault, encrypted users’ files and then demanded a $300 (€268) ransom to unlock them.
Flashpoint examined the ransom note the malware presented to infected users, which was available in 28 different languages.
The company found the English version of the note was used as the source text for all other languages except for Chinese (Simplified and Traditional), suggesting the latter two had been composed by a native of fluent speaker.
“It was only really the Chinese and the English versions that appeared to be written by someone that understood the language,” said Professor Alan Woodward, a cyber security expert from the University of Surrey in the UK.
“The rest appeared to come from Google Translate. Even the Korean.”
It had previously been suspected that North Korean hackers may have been behind the malware, after code was found an earlier version of the virus that was known to have been used previously by cyber criminals from the secretive state.
Separately, data released yesterday by Kryptos Logic reveals that most WannaCry victims were located in China, and not Russia as various online security firms had initially reported.
China was by far the most affected country, making 6.2 million requests in the past two weeks to the main kill-switch domain designed to stop the malware, Kryptos found.
“[I]t turns out that within 48 hours WannaCry potentially became one of the largest worm outbreaks we have seen, rivalling botnets which have been in operation and growing for years,” Kryptos researchers said in a blog post.
“What this tells us is the real reason WannaCry was so dangerous, velocity. Velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability (sic).”