![](\"http:\/\/zapt0.staticworld.net\/images\/article\/2017\/02\/cw_audio_teaser_mingis_on_tech_3x2_primary_1800x1200-100710181-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Ken Mingis, \t\t\t\t\t\t \t\t\t\t\t\t\tFahmida Y. Rashid| Date: Wed, 12 Jul 2017 03:00:00 -0700<\/strong><\/p>\n Sometimes, how<\/em> you say something can be as important as what you say — especially when’s there been a cyberattack and law enforcement officials are trying to figure out who you are.<\/p>\n That’s what CSO<\/em> senior writer Fahmida Rashid<\/a> found when she looked into how cybersecurity firms go about tracking down the bad actors<\/a> behind malware campaigns.\u00a0While linguistics may not be the first thing companies worry about when trying to protect — or retrieve access to — their data, it can help pinpoint an attack’s origin, Rashid told Computerworld<\/em> Executive Editor Ken Mingis.<\/p>\n Linguistics analysis has been used to investigate various attacks, including the 2014 Sony breach, ShadowBrokers and Guccifer 2.0<\/a>\u00a0— and it\u00a0seems to be gaining traction \u00a0because it can help identify the shadowy figures behind ransomware attacks, Rashid said. For example, Flashpoint analysts analyzed every language version of the ransom notes that accompanied WannaCry, and determined that the notes written in Bulgarian, French, German, Italian, Japanese, Korean, Russian, Spanish and Vietnamese had been translated from a note originally written in English. (In the CoinVault ransomware attack, investigators found several phrases in \u201cperfect Dutch,\u201d indicating a Dutch connection<\/a>.)<\/p>\n Ransomware lends itself well to linguistic analysis because when attackers write the \u00a0ransom notes their speech patterns show up in the text. There happens to be more text to analyze, and unlike spam and phishing messages where attackers have to \u00a0mimic legitimate entities, ransom notes can hide clues on how comfortable the writer is in that language.<\/p>\n The fascinating part, according to Rashid, is that linguists can learn about attackers by the way they phrase certain words, or even by the words themselves. That’s particularly true of ransomware like WannaCry<\/a>, where victims get a message from the attackers — and that message can contain hidden clues.\u00a0Linguists like Shlomo Argamon<\/a>, professor of computer science at the Illinois Institute of Technology, say it\u2019s important to have as much text as possible to analyze. The more there is, the more likely the \u201ctrue\u201d attributes can be surfaced.<\/p>\n It’s not fool-proof<\/a>, Rashid noted. Different people can speak multiple languages and with differing degrees of proficiency, sometimes obscuring an attack’s origin. Attackers regularly employ red herrings and false flags to throw investigators off; they \u00a0manipulate when they launch attacks; change timestamps; and even intentionally insert cultural references and phrases to misdirect investigators. Even so, it is hard to consistently plant fake clues in speech.<\/p>\n For an audio podcast only, click play (or catch up on all episodes) below. Or you can\u00a0now find us on iTunes<\/a>, where you can download each episode and listen at your leisure.<\/p>\n