Flashpoint: WannaCry Worm Likely Came from China

Security firm Flashpoint thinks it has a potential “patient zero” for the WannaCry distribution worm: southern China.

Users infected by the worm, which used a Windows security hole to upload the ransomware, received a ransom note built into the malware set to display one of several languages.

In a blog post on their web site, Flashpoint explains some of the signs they used to narrow down the possible origins.

Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

Flashpoint found that the English note was used as the source text for machine translation into the other languages. Comparisons between the Google translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, producing a 96% or above match.


A number of unique characteristics in the note indicate it was written by a fluent Chinese speaker. A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version. More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely native or at least fluent. There is, however, at least one minor grammatical error which may be explained by autocomplete, or a copy-editing error.

The text uses certain terms that further narrow down a geographic location. One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, and Singapore; although it is occasionally used in other regions of the country. The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland.

Efforts by other analysts have previously centered on North Korea’s Lazarus Group, a cybercrime enterprise most notably credited with hacking Sony Pictures and leaking several internal documents from top executives there, and an $81 million heist from the Bangladesh Bank. Researchers cited reused code samples from previous malware attacks linked to the group as potential evidence of Lazarus’ involvement, however Symantec believes another party to be responsible.

In a related story, security firms are claiming that Windows XP users actually had very little to fear from the worm, according to a new report from The Verge. Both Kryptos Logic and Kaspersky Lab say XP systems were, in their tests, crashed by the worm before the ransomware could be injected and activated, which indicates the outdated computers were actually less likely to be affected by the worm than their Windows Vista-8 brethren.

Kryptos also released new information showing that China was the country most targeted by the worm, with previous leader Russia slightly behind the US. This metric, however, is not an indication of infections as the data is based on measurements of traffic on the sinkholed killswitch domain.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *