WannaCry ransom
The WannaCry pop-up ransom message that appears when systems are infected Screengrab/Cyphort

The WannaCry ransomware hackers have still not been identified, but a new research indicates the perpetrators may be Chinese and not North Korean as was previously suggested by some experts.

Security firm Flashpoint conducted a detailed analysis on the ransom messages sent to victims and found that it was likely written by hackers who were of Chinese origin. Several researchers have suspected that North Korean-affiliated "Lazarus Group" was behind the attack due to similarities in the malware execution code, but Flashpoint analysts say linguistic review of the 28 ransom messages can help determine the native tongue of the hackers.

The research analysed each note individually for content, accuracy and style, and compared them to previous ransom messages associated with other ransomware samples. While there were similarities, an exact match was not found.

The researchers dug deeper to find that the sample messages contained language configuration files with translated ransom messages for an array for languages starting from English, Chinese, Dutch, German, Greek to Bulgarian, Romanian, Russian, Slovak and of course Korean. All the notes, except for English and Chinese versions (Simplified and Traditional), had been translated.

According to the research, English and Chinese notes were most likely written by a human.

Linguist experts said that the two Chinese ransom notes differed substantially from other notes in content, format, and tone. Google Translate does not have good track record in translating Chinese to English and English to Chinese, and often produces inaccurate results. Some characters on the Chinese notes also indicate it may have been written using a Chinese-language input system.

On further analysis, the English note sports a glaring grammatical error, suggesting the speaker may be a non-native English speaker. This version was used as the source text for translating the note into other languages as the accuracy of English to other languages translation is much better on Google compared to translating Chinese to any other language.

Flashpoint says it is difficult to pull out the nationality of the hackers as they may be affiliated to any Asian or even non-Asian country.

Although it is possible that the Chinese notes were used to mask the identity of the hackers, what's for certain is that the creators of the notes are fluent in Chinese – both simple and traditional, the firm said.