WannaCry Ransomware News: Chinese Security Firms Deny Reports Attack Originated In China

Chinese Cybersecurity firms are pushing back against the suggestion China was in any way involved in the spread of the WannaCry ransomware attack that infected hundreds of thousands of machines around the world last month.

Little is known about the origins of the WannaCry attack at this point, but security researchers working for labs in China say attribution of the attack to any Chinese actor is incorrect — or at least lacking evidence.

Read: WannaCry Ransomware News: Linguistic Analysis Offers Insight About Attackers

"The correct and professional way is to trace the ransomware through the traits of the code," Zheng Wenbin, chief security engineer at cybersecurity firm Qihoo 360, told Chinese state-run media outlet Xinhua.

Zheng said “hackers often add characters from different languages into their code to confuse the public and hide their identity." Therefore attempting to determine the origin of the attack by looking at characters within the interface text of the malware could result in the person investigating the text to be misled.

Li Bosong, the deputy chief engineer at Chinese security company Antiy Labs, also took issue with reports that China may be involved in the WannaCry attack. Bosong said reports of Chinese involvement in the attacks lack substantial evidence

The pushback from Chinese security firms comes weeks after a linguistic analysis of WannaCry linked the attack to a Chinese author. The report, published by U.S. security company Flashpoint, examined the language of the notes attached to the ransom attack to determine what the native tongue of the attacker may have been.

Read: WannaCry Ransomware: Attack Shares Code With North Korea Malware, Experts say

The researchers concluded certain characters used in the Chinese-language ransom note suggested the note was written using a Chinese-language input system instead of a translation, as many of the other notes had.

The Chinese note made use of proper grammar, punctuation, syntax and character choice. It is also the longest of all the notes, containing content not present in any of the other notes and is formatted differently than the rest.

The English-language ransom note was also well-written for the most part — especially compared to some of the other notes that were clearly put through a simple translator — but contains significant grammatical errors that suggest the author, while familiar with the English language, is not a native speaker.

While Flashpoint said its finding suggests the author speaks Chinese fluently, noting it’s possible the actors behind WannaCry intentionally misled with their notes to hide their true origins.

Previously, a Google security researcher noted similarities in the code used in the WannaCry ransomware attack and code in malware used by a notorious North Korean hacking group known as the Lazarus Group.

Security research firm Symantec disclosed findings that drew even stronger links between Lazarus Group and the WannaCry attack, including “substantial commonalities” in the tools, techniques and infrastructure used by the WannaCry attackers and those seen in previous Lazarus attacks. Symantec concluded it was “highly likely” Lazarus Group was behind the spread of WannaCry.