WannaCry Ransom Note Analysis By FlashPoint Points Finger At China
It looks like we will soon get to know the creators behind WannaCry ransomware that shook the entire world. A new ransomware note analysis conducted by the US intelligence company Flashpoint hints at a native Chinese speaker.
During the first strike of the ransomware on organizations, reports hinted at the Russian links of the attackers. But, this new analysis uproots those theories as Flashpoint conducted deep analysis on language style. The company went through ransom notes in 28 languages, and it found that the accuracy and style of Chinese ransom notes had "moderate confidence." It means that the writer was a native Chinese speaker.
Additionally, Flashpoint also discovered that the Chinese ransom notes contained more words than the other languages, again suggesting that a native speaker wrote it.
The report also suggests that the English ransom notes were also written accurately and do not look translated from software. However, a grammatical error like - "But you have not so enough time" in the English ransom note indicates that the writer was not a native speaker, perhaps a "non-native or perhaps poorly educated."
Other than English ransom note, all the other notes were found to be translated with the help of Google Translate software. Flashpoint also said that it compared the English notes with the notes written in other languages, and they were found to be 96 to 100 percent alike.
Not just Russia, the attacks were also linked with North Korea, thanks to the analysis by Google security researcher Neel Mehta. In his research, Mehta found that the code used in WannaCry's initial version was identical to the code used by the hacking gang - Lazarus Group. Lazarus also had links with the government of North Korea. Although Lazarus is deemed to work with the government in its homeland, ZDNet reports that the group is also believed to be working outside the region.
WannaCry affected more than 300,000 PCs around the world with its worm-like ability to infect Microsoft Windows machines, specifically the ones on older Windows versions. While most of the organisations have recovered from the attack, some are still under the siege.