New analysis suggests Chinese-speaking criminals may have been behind the WannaCry ransomware that affected thousands of organisations worldwide.
Researchers from Flashpoint looked at the language used in the ransom notice.
They said the use of proper grammar and punctuation in only the Chinese versions indicated the writer was “native or at least fluent” in Chinese.
The translated versions of the ransom notice appeared to be mostly “machine translated”.
The WannaCry ransom note could be displayed in 28 different languages, but only the Chinese and English versions appeared to have been written by humans.
The English text also used some unusual phrases such as: “But you have not so enough time”.
The WannaCry cyber-attack infected more than 200,000 computers in 150 countries, affecting government, healthcare and private company systems.
The UK’s National Crime Agency, the FBI and Europol are investigating who was responsible for the ransomware.
- What can you do to protect your business?
- WannaCry and the malware hall of fame
- Global manhunt for WannaCry creators
Some earlier analysis of the software had suggested criminals in North Korea may have been behind it.
But the Flashpoint researchers noted the Korean-language ransom note was a poorly translated version of the English text.
“It was only really the Chinese and the English versions that appeared to be written by someone that understood the language,” said cyber-security expert Prof Alan Woodward from the University of Surrey.
“The rest appeared to come from Google Translate. Even the Korean.”