WannaCry ransom note

According to a linguistic analysis of the WannaCry ransom notes, the ransomware appears to be the work of a Chinese-speaking author, according to Jon Condra and John Costello, two Flashpoint researchers.

After analyzing each of WannaCry's localized ransom notes, available in 28 different languages, the two feel pretty confident the ransom note was written by persons fluent in Chinese, but also in English.

Two ransom note templates discovered: English & Chinese

In fact, researchers say that there appear to be two ransom notes at the base of all other WannaCry notes. There is one written in Chinese, and one in English, which was used as the template for the other ransom notes.

Flashpoint researchers say that if someone would be to take the text of WannaCry English ransom note and pass it through Google Translate, he'd get translations that are on average 95% identical with the ransom notes found in the real WannaCry package.

This has led researchers to believe that the WannaCry author — or authors — have used the English note as a boilerplate for the other languages, except Chinese.

This is because Google Translate yields better translations from English to other languages. On the other hand, translating between other languages gives many errors and inaccurate translations.

WannaCry Chinese ransom notes are different from the rest

But the reason why Flashpoint researchers believe WannaCry is the work of a Chinese-speaking user is because of the two Chinese ransom notes — Simplified and Traditional — which are lengthier, differ in format compared to the English version, and are written by a person knowledgeable of the intricacies of the Chinese language.

Below are the key findings of the Flashpoint research:

Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

On the other hand...

The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. Google Translate fails in both Chinese-English and English-Chinese tests, producing inaccurate results that suggests the Chinese text was likely not have been similarly generated by the English text.

A number of unique characteristics in the note indicate it was written by a fluent Chinese speaker. A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely fluent or at least native. There is, however, at least one minor grammatical error which may be explained by autocomplete, or a copy-editing error.

The text uses certain terms that further narrow down a geographic location. One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, or Singapore. The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland.

So there you have it. It's now up to you to decide if you believe the North Korean attribution angle, or this new theory hinting that a Chinese-speaking user/group was behind the ransomware.

WannaCry ransom notes support the following languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese