The WannaCry cyber-attack that hit 150 countries could have been the work of Chinese-speaking hackers, new research shows.
Researchers at Flashpoint have dismissed reports that North Korean hackers were behind the ransomware attack after finding evidence that the note was translated from another language into Korean.
Their research shows fluent Chinese speakers could have created the WannaCry attack, which hit hundreds of thousands of machines at organisations including the NHS, Nissan and Telefonica.
"Flashpoint assesses with high confidence that the author of WannaCry's ransomware notes are fluent in Chinese," said the Flashpoint researchers. "The language used is consistent with that of Southern China, Hong Kong, Taiwan or Singapore."
The researchers analysed the 28 language variations of the ransom messages that appeared on computers locked by WannaCry demanding a payment of $300 (£233).
They found the Chinese and English-language ransom notes were the only ones that appeared to have been written by a human. The Korean note contained grammatical and punctuation errors that indicate a computer translated it from English.
"Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only the English version and the Chinese versions are likely to have been written by a human instead of machine translated," said Flashpoint.
The researchers said only the Chinese notes appear to have been written by a native speaker, which could mean the perpetrators were of Chinese origin.
"The two Chinese ransom notes differ substantially from other notes in content, format, and tone," Flashpoint said. "The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese.
"The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language - perhaps comfortable enough to use the language to write the initial note."
It comes after separate research linked the attack with North Korean hackers called the Lazarus Group. The group, which experts have connected with the North Korean state, was reportedly behind the Sony Pictures Entertainment hack in 2014 and the Bangladesh central bank attack that involved the theft of $81 million.
The English WannaCry note, unlike the Chinese, contained one major grammatical error that researchers said indicates the perpetrator is unlikely to have been a native speaker. It said: "But you have not so enough time".
The analysis revealed the messages in other languages had been translated from the English text.
Flashpoint also compared the WannaCry notes with those used in previous ransomware programs but didn't find any significant links.