back to article ‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

The ‪WannaCry‬pt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis. WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google …

  1. DrXym Silver badge

    More to the point

    If the authors used Google Translate then chances are Google has logs of those interactions which include IP address, potentially identity of the person using it. They might have used Tor but then again maybe they didn't.

    1. Aitor 1 Silver badge

      Re: More to the point

      Thet would tell you at best that the ip is from china, yet tells you nothing about the people behind them... same for note being automatically translated from chinese.

      1. Halfmad

        Re: More to the point

        Well tells them an IP, might not tell them where the people actually were though.

      2. Voland's right hand Silver badge

        Re: More to the point

        Thet would tell you at best that the ip is from china,

        Depends how stupid they were. Google cookies are very very very long lived you know.

        The issue is - the likelihood that there are any logs for this one worthy of forensic examination are about nil.

      3. Trigonoceps occipitalis

        Re: More to the point

        If the best that Google an do is "somewhere in China" why are firms paying so much for profiles and targeted ads?

    2. fandom Silver badge

      Re: More to the point

      Now that you mention it, it wouldn't surprise me if the one doing the translations was logged into his Google account while doing them.

      I doubt Google keeps so much logging but they might

      1. Yet Another Anonymous coward Silver badge

        Re: More to the point

        And so it must be from "Southern China, Hong Kong, Taiwan, or Singapore" because that's where all the Mandarin speakers live

        1. DougMac

          Re: More to the point

          Chinese is not a homogenous single language. Different idioms, way of sentence structure (and not applicable here, but vocal patterns) and vocabulary differ highly from area to area, region to region.

          (not even counting the dozens of different regional dialects).

          Most of this is much more relevant to the spoken language, since the written is the same. Most likely what they analyzed given the areas noted is probably the writing looks like it was written by somebody that speaks Cantonese. Totally different language than Mandarin, but still uses the same written characters.

          1. frank ly Silver badge

            @Doug Mac Re: More to the point

            "Totally different language than Mandarin, ..."

            You might want to consider this small extract from the article:

            " ...a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated."

            You might notice that the extract I quoted also has a grammatical error.

            Where does it end??

            1. Anonymous Coward
              Anonymous Coward

              Re: @Doug Mac More to the point

              Most people, especially those from the supposed "masters of the universe" class, would not be able to spot that. Grammar and usage apparently don't get taught in business schools these days, or, judging from the performance of the last two business school educated Presidents, for the last few decades at least.

              On the substance: shouldn't really be a surprise if it turns out the people behind this were Chinese speakers. I mean, after all, it's not like all dark web government contractors are from the Americas and Eastern Europe. It would make sense for the three-letter agencies who have been funding the hacker-for-hire industry recruited from Asia, undoubtedly in an effort to contain costs.

              All of this stuff seems so familiar:during the Cold War the US outsourced military operations against the Soviets to the Mujahideen. In the new "cyber" war the three-letters outsourced "cyber" operations to a constellation of well-connected Beltway firms that employed ex-government executives to maintain those connections. The fact that government itself has little or no organic capability to perform those operations is no accident. First of all, it would be an awful waste to have to use up finite job openings that could go to patrons, their families or business associates by employing people with actual technical skills that few in the aforementioned groups are likely to have, and, second, spending on in house resources competes with the gravy train of contracts that is the whole point of "right-sized" government.

          2. Uffish

            Re: More to the point

            Funny that southern China and Hong Kong speak Cantonese, Taiwan and Singapore speak Mandarin which makes identifying the language of the perps pretty confusing to me. My bet is that the NSA did it and included obfuscation to conform to the usual ' plausible deniability' clause in the job spec.

            Note to the outraged:- you can replace 'NSA' by anyone you want, the meaning of my comment would be unchanged.

        2. Rupert Fiennes Bronze badge

          Re: More to the point

          Actually, this doesn't make much sense. Southern China could mean Guangdong and HK where they speak Cantonese, but Taiwan and Singapore speak Mandarin. Sounds like a load of bollocks to me!

        3. John R. Macdonald

          Re: More to the point

          Isn't Cantonese the official language in Hong Kong, not Mandarin?

      2. Anonymous Coward
        Anonymous Coward

        Re: More to the point

        "I doubt Google keeps so much logging but they might"

        As Slurp already read your emails, you can bet they read your translation requests too if there is money to be had selling your personal data...

        1. Peter2 Silver badge

          Re: More to the point

          If Google says "it was done from THIS IP at THIS time", then I would imagine the Chinese government would be able to produce the rest from the logs of the great firewall of China. Unless China is massively behind the west in spying on their citizens, and we're told that they have a clear lead in this area.

      3. Pen-y-gors Silver badge

        Re: More to the point

        @fandom

        "I doubt Google keeps so much logging but they might"

        ROFL until I threw up!

      4. handleoclast Silver badge
        Coat

        Re: I doubt Google keeps so much logging but they might

        Google keep everything so they can target advertising.

        Every time the guy does a google search now it suggest bitcoin, ransomware and stuff like that.

        1. GrapeBunch Bronze badge

          Re: I doubt Google keeps so much logging but they might

          "Every time the guy does a google search now it suggest bitcoin, ransomware" ...

          The google-eyed monster has no incentive to play the cop. But tech sites that use google-generated ads could keep a lid open. No, no, not to catch anybody, but to put a plausible lower bound on the number of proxy servers extant.

          Too bad El Reg doesn't have a Lord Kitchener icon, with a warm and fuzzy text such as "Be sure to leave some dosh with your family so they can pay for the bullet."

          1. GrapeBunch Bronze badge

            Re: I doubt Google keeps so much logging but they might

            Replying to my own post. It has begun.

            Today El Reg served up these two ads on my front page:

            "Canada's Bitcoin Exchange - Most Secure, Lowest Fees"

            "Get a free copy of 'Building an Enterprise Cloud for Dummies.'"

            I'm touched, I'm honoured, I'm blushing. This is a way higher hacker class than the ads for Ladies' clothing I've been seeing for weeks. Though just between us, I do have a great pair of gams. Hairy, but shapely. Even Mrs. Bunch is jealous.

            So it's clear that it was all My Fault. Before you arrest me, occifers, I need to know this, what is an "Intellectual Property address"?

            1. Anonymous Coward
              Anonymous Coward

              Re: I doubt Google keeps so much logging but they might

              This is a way higher hacker class than the ads for Ladies' clothing I've been seeing for weeks.

              The ads I see seem to be for ladies' unclothing. I can't imagine why.

    3. Velv Silver badge
      Big Brother

      Re: More to the point

      Won't be long before the government enacts legislation to have all translations filtered through the national security service.

      And I've left government and agency vague as it could be any or all of them

    4. Hans Neeson-Bumpsadese Silver badge

      Re: More to the point

      I'm not sure what value IP address would be. Seeing as the perp(s) are in the cybercrime game, it's highly likely there'd be some IP address spoofage going on.

      1. Anonymous Coward
        Anonymous Coward

        Re: More to the point

        I found it! The IP is based at 102 Austin Road, Tsimshats ui, Kowloon, Hong Kong.

        Oh wait, that's a Starbucks...

    5. Primus Secundus Tertius Silver badge

      Re: More to the point

      So the criminals knew Chinese and English. That could be a lot of people in the UK or USA. Both UK and USA schools produce many alumni who are a bit shakey on grammar.

      1. Doctor Syntax Silver badge
        Coat

        Re: More to the point

        "a bit shakey on grammar"

        And shaky on spelling.

        The one with the 1955 pocket OED in the pocket.

        1. GrapeBunch Bronze badge

          Re: More to the point

          " ' a bit shakey on grammar ' "

          "And shaky on spelling."

          In 1954, Sherwood “Shakey” Johnson opened the first Shakey’s Pizza Parlor® in a remodeled grocery store on 57th and J Street in Sacramento, California. (from the franchise website).

          Therefore it is likely that the shakey poster is a Yank (British term for denizen of USA). See how easy this is?

          It should never be excluded from consideration that a grammatical faux pas was committed intentionally.

  2. Anonymous Coward
    Anonymous Coward

    Don't be fooled people, this is just a cunning ruse by the glorious leader with his god like command of language he has fooled Google translate into thinking he is Chinese for the betterment of the peoples and the glory of the one Korea.

    Next week they will find reference to Vodka and blame the Russians.

    All part of the plan.

  3. Anonymous Coward
    Anonymous Coward

    'written by Google Translate using Chinese speakers'

    Or absolutely not! We know after Sony / other hacks, that there's quite a bit gamesmanship here. If I was hell-bent on internet extortion I'd ask foreigners in a net cafe / bar to help translate. To deflect attention away from whatever my real heritage / language skills / citizen profile really is... Message would be broken up into innocuous parts first of course....

  4. Anonymous Coward
    Anonymous Coward

    Sure, blame the Chinese!

    From the article: ... Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

    And as we all know, all native English speaker are highly educated, especially in the US, so it must be the Chinese. Or the Russians. Or some ISIS terrorist. Right?

  5. John Savard Silver badge

    The Dragnet Closes

    Well, at least this seems to let North Korea off the hook.

  6. Your alien overlord - fear me

    I reckon it was an AI bot that caused it. Just to see if it could beat the humans. And it nearly succeeded if it wasn't for that meddling kid.

  7. bolac

    Bloggers found this weeks ago:

    https://steemit.com/hacking/@wh1sks/wannacry-ransom-message-was-translated-using-google-translate-but-with-a-few-changes

  8. JCDenton

    I thought North Korea did it.

    1. Version 1.0 Silver badge

      NORKs or not?

      It's possible, but not proven - the fact that it fizzled out so quickly and was not particularly profitable tends to point towards an individual kiddies in my mind.

  9. Doctor Syntax Silver badge

    ISTR that the Shadow Brokers stuff contained a facility for disguising language in comments etc to confuse this sort of analysis.

  10. ChrisPv

    So comentards, not so sure now?

    In last round of comments, the mind-hive certainty that Russians are culprits based on "perfect punctuation".

    Sneaky bastards those Chinese speaking state sponsored Russian hackers.

  11. John H Woods Silver badge

    Love the way you've misspelled commentards and mangled hive-mind to throw us off.

  12. Yamal Dodgy Data

    Flashpoint Fang Pi

    Anyone else notice the glaring stupidity in Flashpoint's linguistics analysis ?

    Mandarin is a spoken language (not a set of phonetic linguistic characters which be can typed into Google Translate)

    Try again Flashpoint:....

    Hong Kong; Taiwan - Traditional Chinese characters (languages spoken Cantonese; Hokkien)

    Guangzhou; - Simplified Chinese characters (language spoken Cantonese)

    Singapore - Simplified Chinese and English (both at a native speaker level) - no need for Google Translate

  13. CrysTalK

    Cheap Translators online

    Except anyone can have a bunch of translators online these days who would charge you for peanuts. Maybe true that the keyboard used was Mandarin or Cantonese setup, but could have been requested by a different citizen in a 1st world country.

  14. Ken Hagan Gold badge

    A rookie error

    When composing a ransom note, always translate from your native language to English first and only then crank out translations from that English into every other language including your own.

  15. Jim Birch

    Speculation is speculation. Over to you Google.

  16. mhenriday
    FAIL

    What we know -

    or rather, what we are supposed to think we know - is found here. Which persons or what organisations lie behind the figures shown on the above web page ? Any reason at all to place the slightest confidence in any «analysis» from this quarter ?...

    Henri

  17. Anonymous Coward
    Anonymous Coward

    Dear Wanna Cry Translator

    U chin-ese suck, Ay puke readin it. Nix time, Ay do trans-late.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019