WannaCry's threat seems passed, but its author and owner is still a riddle. Researchers are interested why such a worldwide ransomware is made with so low skills.
More and more evidences point that WannaCry is connected with China or North Korea. There are two opinions that are derived from separate views and analysing.
At begging, we want to know who is the direct author or creator. Flashpoint, a security firm, indicates the ransomware is created by people of Southern China. It said that Wannacry uses 28 languages to show its ransom notice, instruct victims to transfer money, otherwise their data will be permanently lost. However, 25 of the languages are translated from English by Google Translate; only English and Chinese (including Simplified and Traditional) versions are written by human.
So, the authors' mother language should be either English or Chinese, and they should know two of them. Some disclosed details hint the authors probably are Chinese.
Firstly, there are few people whose mother language is English to learn Chinese and Software concurrently. But reversely many Chinese people study software and know more or less English.
Secondly, Chinese versions have more contents and are more fluent than all other versions. The Chinese notice has proper grammar, punctuation, and syntax. It means the authors prefer to express with Chinese. The English version is just used as source to translate to other languages.
Finally, the English version has a few grammatical errors that suggest it was written by non-native or perhaps poorly educated person. An obvious error is like "But you have not so enough time". If a native English person’s English skill is so bad, he or she shouldn’t be able to create any ransomware.
In fact, "But you have not so enough time" is a very low English grammar error. Supposed the creators are assumed as Chinese, their education should be very poor, or say precisely, be lower than college.
A typo in the Chinese note,"帮组" (bang zu) instead of "帮助" (bang zhu), strongly hints the authors input Chinese chars by PinYin. It's actually an important clue to locate the writer. Because PinYin is a popular input method in China mainland, and the typo, which is due to pronunciation difference at separate areas, usually happens south to Yangzi River. So, Flashpoint cautiously reasoned that the ransomware is connected to Southern China.
By some Chinese words' usages, Flashpoint thinks that people in Hong Kong, Taiwan, or Singapore are also the possible writers. But this argument isn’t accepted widely. A basic fact is that Hong Kong, Taiwan, and Singapore have nice English education. On average their high school students have better English writing than this English ransom note.
Therefore, by analyzing the ransom notices, we can describe the authors as: lower than college education and grown in south of China. Considered other defeats and low level errors of WannaCry, we may assume the authors young, amateur, and with poor software developing ability.
Now we start to doubt this conclusion. Can such authors launch a worldwide ransomware attack? Some concerns are raised; there are three key questions.
Sometimes hackers deliberately misuse language in order to circumvent this kind of analysis. Do the ransom notes want to hide something? In general, computer virus just destroies your files or steals data from your computer, it needs hide itself. However, ransomware shouldn’t have the same preference, if you don’t know them, how to pay ransom?
Ransomware is complicated software, how do the guys without college education deliver it? WannaCry indeed includes some bright points, such as encryption algorithm and NSA's toolkit. Even common computer science graduates cannot finish it independently. So, its creators should work for an organization related to information security and can access the main WannaCry components in work space. Although the creators aren't top technology guys, they are possible to merge some existing core parts into an amateur ransomware.
What is the purpose of the creators or authors? Get money or enter jail. Why does an unexperienced person launch an attack without reasonable motivation? The answer is that the creators did it for their boss. It shouldn’t a personal action. The further analysis will uncover the real owner of WannaCry.
WannaCry isn't a product of one or a few hackers, especially of a young Chinese with without good college education. Do the creators work for Chinese government or any other organization? No, because the information security industry has decent salary in China. Even the entry level positions can hire good educated employees, who hardly say English as "But you have not so enough time".
The ransom notes are written by someone whose mother language is Chinese, it’s probably true. But the boss is from other country, which would meet with three criteria: dare to confront whole the world; poor and cannot afford good salary; and close to China in geography.
We know the US government is pointing to North Korea. In fact, the relationship between North Korea and China, especially in intelligence domains, is probably much more complicated than widely appreciated.
Now researchers have found some links to North Korea. One is Lazarus Group, which is believed to be sponsored by North Korea, is related to this attack. Another is an early version of WannaCry has been installed on two computers that are same as North Korea attacked Sony Pictures in the 2014.
Now we have a big picture of WannaCry: who creates it and who owns it.