The hackers involved in the WannaCry ransomware attack are still unknown, but new research from the security firm Flashpoint indicates there could be a connection to Southern China.

In a recent blog post, Flashpoint gave an outline of its linguistic analysis of the WannaCry ransom notes, which appeared in nearly 100 countries and was distributed in 28 different languages.

In Flashpoint’s blog post they point out that the author of the ransom notes was likely “native or at least fluent” in Chinese. Out of the 28 different notes, the only ones written by a human appeared to be English and Chinese Traditional and Simplified. The other 25 notes were most likely transcribed from the English note by an online translating tool, like Google Translate.

In Flashpoint’s analysis, they cite that both the Chinese notes have more information and are in a different format with differing content.

“The text uses certain terms that further narrow down a geographic location. One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, and Singapore”

Google Translate can’t handle English to Chinese very well. As you can see in this picture, putting in “Your important files are encrypted” returns with the Chinese characters, when these characters are put back in and translated into English, it takes away the plural “files” and turns it into passive voice. This may seem like a small change, but putting many paragraphs through Google Translate can become a serious problem.