According to foreign media reported on the 26th, threat information company Flashpoint for dozens of extortion software WannaCry ransom notes for language analysis, the behind-the-scenes developers or from the Chinese-speaking countries .
Global blackmail software WannaCry in the near future wantonly broke out, the attacker to use SMB vulnerabilities to carry out network attacks. Last week, Google, Kaspersky and other security companies have issued a statement, pointed out that the blackmail software WannaCry and the Korean hacker Lazarus there is a potential link. Subsequently, the security expert according to the WannaCry ransom paper analysis, said the contents of the bill mainly contains Chinese (Simplified and Traditional), Korean, Russian and other 28 languages, Chinese content is extremely accurate and fluent.
In addition, some of the terms used in Chinese notes further help security experts to narrow the geographical scope. For example, the term “worship” in ransom notes is common in South China, Hong Kong, Taiwan or Singapore, and “anti-virus” and “antivirus” are common in mainland China.
It is noteworthy that the contents of the Chinese ransom notes do not exist in other versions of the Notes, and the format is longer, the layout is slightly different; and the English version of the ransom notes although it looks good, but it contains some major grammatical errors, This indicates that the developer’s native language is not English or is not highly educated.
Flashpoint analysis shows that an attacker could use the Korean hacker organization Lazarus code as a confusing to deceive investigators, or a North Korean APT organization to recruit Chinese-speaking developers.