A linguistic analysis conducted on the ransom notes used by the WannaCry ransomware that infected hundreds of thousands of computers around the world earlier this month revealed the author of the attack is likely fluent in Chinese.

Security research firm Flashpoint conducted its analysis by examining 28 ransom notes from the malicious software written in a number of languages. The researchers concluded the attacker is likely fluent in Chinese and speaks some English.

Read: WannaCry Ransomware: Attack Shares Code With North Korea Malware, Experts say

The researchers came to this conclusion by noting that certain characters used in the Chinese-language ransom note used characters that would suggest the note was written using a Chinese-language input system instead of a translation.

The Chinese note also makes use of proper grammar, punctuation, syntax and character choice. It is also the longest of all the notes, containing content not present in any of the other note, and is formatted differently than the rest.

The English-language ransom note was also well-written for the most part—especially compared to some of the other notes—but contains significant grammar errors that suggest the author, while familiar with the English language, is not a native speaker.

Analysts were able to further narrow the author’s origins by examining some of the character choices. “The text uses certain terms that further narrow down a geographic location. One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, or Singapore. The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland,” the researchers wrote.

Read: Microsoft MS17-010 Vulnerability: EternalRocks Attack Spreading Using Same Exploit As WannaCry Ransomware

“Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out,” the Flashpoint report concluded. “It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”

While the analysis doesn’t provide any definitive answers about the origins of the ransomware, it does help offer some insight into its author and continues to narrow the list of possible attackers.

Previously, a Google security researcher noted similarities in the code used in the WannaCry ransomware attack and code in malware used by a North Korean hacking group known as Lazarus Group.

Lazarus Group has been responsible for a number of high profile attacks including an $81 million heist of funds from a bank in Bangladesh, a 2013 attack on South Korean television stations and banks, and the 2014 attack on Sony Pictures that resulted in the leak of confidential information and unreleased films.

Security research firm Symantec disclosed findings last week that drew even stronger links between Lazarus Group and the WannaCry attack, including “substantial commonalities” in the tools, techniques and infrastructure used by the WannaCry attackers and those seen in previous Lazarus attacks.

Symantec said it is “highly likely Lazarus was behind the spread of WannaCry,” but noted the WannaCry attacks “do not bear the hallmarks of a nation-state campaign” but, rather, were more typical of the behavior of a cybercrime campaign.

RELATED STORIES
Sony Cybercrime Ransomware