WannaCry written by Chinese speakers: Flashpoint

Flashpoint linguists think the authors of WannaCry were native Chinese speakers

Image of Chinese language ransom note sent by WannaCry malware. (Image from Kaspersky Lab)

TAIPEI (Taiwan News) -- Linguists at the dark web intelligence firm Flashpoint say the Mandarin Chinese version of the ransom message sent by the WannaCry malware program was the only one composed by native speakers, indicating that it may have been made in China, not North Korea as previously suspected by antivirus company Symantec. 

Flashpoint's linguists analyzed ransom notes generated by WannaCry in 28 languages from Bulgarian to Vietnamese, and found that all had been generated by Google Translate, with the exception of English and Simplified and Traditional Chinese. However, the English message had grammatical errors indicating it was written by a non-native English speaker.

The Chinese messages, on the other hand, were composed at a native level and differed substantially from the other notes (including the English version) in content, format, tone, and length. 

There are a number telltale traits in the ransom note that correspond to a native Chinese speaker. The typo  “帮组” (bangzu) instead of “帮助” (bangzhu) meaning “help,” indicates that it was written with a Chinese-language input system that possibly involved keying in the mainland Chinese romanization system Pinyin, as the typo appears to result from failing to input the letter "h." 

Flashpoint adds:

More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent. There is, however, at least one minor grammatical error which may be explained by autocomplete, or a copy-editing error.
 

The firm further narrows down the geographic origin of the author in Greater China. The use of 礼拜” for “week,” is more common in South China, Hong Kong, Taiwan and Singapore. The other term “杀毒软件” for “anti-virus” is more common in the Chinese mainland and its component "软件" for "software" is never used in Taiwan, where the word "軟體" is used instead.

English is the main language of instruction in schools in Singapore, and Singapore English is the main language of communication in society, while other languages such as Mandarin, Malay, and Tamil are taught in as well, even members of these ethnic groups are increasingly speaking English at home. While in Hong Kong, the medium of instruction and main languages used for communication are Cantonese and English, and written Cantonese in fact can have a number of significant differences from written Mandarin,depending on the context.

Thus it is likely the authors of the WannaCry ransom notes had acquired their language skills in South China, rather than Singapore, Hong Kong, or Taiwan, though this cannot be proven with 100 percent certainty without further evidence.

Flashpoint added that, though unlikely, these Chinese language characteristics could have been intentionally added to disguise the creators' true identity.