The WannaCrypt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis.
WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google Translate, according to Flashpoint.
Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.
Flashpoint found that the English note was used as the source text for machine translation into the other languages.
The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. This means they were likely that the Chinese text was put together separately from the English text and by someone who is at least fluent in Chinese if not a native speaker. The Chinese note is longer than the English note, containing content absent from other versions of the shake-down message.
The most plausible scenario is that the Chinese was the original source of the English version, say analysts. Flashpoint concludes that the unidentified perps – without speculating on their nationality – are likely to be Chinese speakers.
Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).