Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/25/2017
01:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

WannaCry Ransom Notes Penned by Chinese-Speaking Authors, Analysis Shows

But a Chinese-language link doesn't shoot down theories of the North Korean Lazarus Group's involvement in the ransomware worm attacks, say language experts at Flashpoint.

A linguistic analysis of the ransom notes used in the WannaCry ransomware attacks shows a Chinese-speaking author was behind the original blackmail message.

Language experts at Flashpoint who conducted the analysis say these findings do not, however, contradict research findings by Symantec, Kaspersky Lab, BAE, and others, that WannaCry ransomware worm is the handiwork of the infamous North Korean Lazarus Group hackers.

"Our findings don't necessarily contradict a link to Lazarus. This is just an added data point in the attribution bubble. We don't know a helluva lot about the Lazarus Group so it's entirely possible, if our analysis is correct, there are Chinese speakers in that group" involved in WannaCry, says Jon Condra, director of Asia Pacific research for Flashpoint. That means they could be native speakers or people who speak Chinese as well as their native tongue.

Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but with the caveat that it was not a state-sponsored campaign. WannaCry infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12. Other researchers, including from Google, Kaspersky Lab, and BAE Systems, also suspect Lazarus Group connections, while other security firms say it's too soon for any attribution.

Getting a view into North Korea's cyber machine is difficult since the nation is so isolated and cloaked, especially online, but experts long have theorized that North Korea has hackers operating out of other countries such as China to mask their activities or to throw off investigators.

Condra says it's known that North Koreans often travel abroad, including to China, and speak the language there as well. North Korean hackers are believed to operate out of China, especially in the northeast region of the country, he says, as well as now increasingly in Malaysia and Southeast Asia. "It's very likely somebody within Lazarus or an affiliate who knows somebody [in Lazarus]" worked on WannaCry, he says.

Other security experts have noted that North Korea's cyber operations spread beyond its borders. John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity, says North Korea's state-sponsored cyber operations are effective because "they don't operate in" North Korea.

One twist that has Flashpoint's Condra and his team baffled, however, is that the Korean-language ransom note is poorly written syntactically, with very basic errors and incorrect grammar structure. "Why is the Korean [language] so butchered? That's a question in itself. Why would they go to such lengths to obfuscate Korean and make it look non-native, but not change the infrastructure [Lazarus Group] behind the attack?"

Flashpoint studied the 28 different ransom notes found in the WannaCry attacks, which were written in 27 different languages. There were two notes in Chinese, one in so-called simplified characters and the other, so-called traditional characters. They found that the two Chinese ransom notes were more detailed and appeared to be handcrafted, while the others likely had been generated from an English-language written note to the other languages, which include Bulgarian, French, German, Italian, Japanese, Korean, Russian, Spanish, Vietnamese, and others.

"Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s)," the researchers wrote in a report published today.

Condra explains the clues they found as compelling. "The Chinese ransom notes were substantially different," he says. "They had five or six different colloquial sayings that don't show up in the other notes," for example, he adds.

The clauses, "Right, I forgot to tell you," and "Even the coming of God can't restore these documents," were unique to those notes, he says. "These are little minor things in there that add flavor or color that doesn't exist in the other languages'" notes, he says.

He believes the Chinese ransom notes were hand-typed rather than translated via Google Translator or another application. "They made a typo that a machine translator would not have made," he says.

The English version of the ransom note, meanwhile, also read smoothly, as if someone crafting it spoke the language and it wasn't generated via a translator program. Flashpoint says that note was likely used as the base for auto-translating to the other languages (with the exception of the Chinese notes). Flashpoint found a 96%-plus overlap between the English ransom note and all other ransom notes, with the exception of the Chinese-language ones.

The English ransom note used correct spelling and capitalization, for example, but there were clues it wasn't written by a native speaker, according to the study. The author incorrectly used the word "couldn't" instead of "can't," in a sentence, for example, and used a clause with the incorrect word order: "You have not so enough time." Condra says these patterns could have been intentional as a false flag, for example.

Flashpoint says it has "moderate confidence" the authors have English-language familiarity and "are likely to have based the English ransomware note off of the Chinese one, and subsequently used it as the basis for machine translation of the ransom notes into all other languages."

Meantime, Flashpoint's linguistic analysis doesn't really confirm or deny the North Korean Lazarus Group's involvement. "Unfortunately, we don't know enough about the Lazarus Group. Maybe it's a combination of North Korea and Chinese" members, Condra says.

The Lazarus Group also could have employed subcontractors for the ransom notes, for example, he says. But the researchers concluded that the notes were generated for the WannaCry attacks and not recycled from some previous ransomware attacks. 

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.