A new analysis of the ransom note included with the global WannaCry Microsoft Windows malware hack earlier this month suggests that it may have originated in southern China.
As reported by the South China Morning Post (SCMP), Flashpoint, a for-profit internet consultancy, claimed that a proprietary analysis of the language used in the ransom note attached to the WannaCry malware attacks indicates a southern China origin.
Flashpoint, a US-based internet security consultancy, claimed that the ransom note was written by “native Chinese-speakers with southern accents,” from regions in or around the southern Chinese mainland, Hong Kong, Singapore, or possibly Taiwan, according to the report.
Although earlier reports suggested a North Korean origin for the malware, the US company’s analysis asserts the south China origin with “high confidence,” SCMP reports.
The targeted malware, which locks the data of a computer running certain versions of the Microsoft Windows operating system and displays a message in 28 languages demanding a cryptocurrency ransom to unlock the device, has affected over 300,000 computers in some 150 countries over the past two weeks, as infections continue to spread.
The internet security company claimed that analysis revealed that the ransom note was written first in Chinese and then manually translated into English — before using Google Translate to convert the note into other languages.
“A typo in the note, bang zu (幫組) instead of bang zhu (幫助), which means ‘help,'” stated the report, “strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version.”
The company added that, “The text uses certain terms that further narrow down a geographic location. One term, libai (禮拜) for ‘week,’ is more common in southern China, Hong Kong, Taiwan, and Singapore.”
However, Chinese language professor Zhang Kefeng, of Jimei University in Xiamen, Fujian province, remained unconvinced about Flashpoint’s conclusions.
“Libai is not just used in southern China,” Zhang said. “Many areas in the north use the word in communication as well, and every day.”
“It is difficult to spot geographical differences in written Chinese nowadays, especially among educated people. People with different accents tend to write in a style very similar,” he added.
According to software firm Symantec, the cyberattack can be linked to the Lazarus group, hackers connected to several high-profile cyberattacks including attacks against banks, casinos, and global financial institutions, cited by Zdnet.com.
The SCMP report noted that many Beijingers use the word libai routinely in everyday speech, adding that it is too early to make a useful conclusion.
“A professional hacker often leaves behind numerous decoys to mislead the chase,” said one cybersecurity expert interviewed by SCMP.
Former US Department of Homeland Security Director Michael Chertoff said this weekend that that he believes the North Korean government or its allies are most likely to be behind the hack.