The Department of Homeland Security began an "aggressive awareness campaign" to alert the tech industry to the importance of installing the patch that Microsoft issued in March that protected users from the vulnerability exploited by the attack, a US official working on the attack told Reuters. "It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different goal", Godier said.
They found code similarities between an early version of WannaCry from February and malicious tools used by a hacking group known as Lazarus.
The Lazarus Group has been blamed for several attacks dating back to 2009. In 2014, Sony Pictures underwent a cyber attack. "But these indicators are not enough to definitively say it's Lazarus at all", said Symantec Researcher Eric Chien.
In November 2014, Sony Pictures Entertainment became the target of the biggest cyberattack in U.S. corporate history, linked to its release of North Korea satire "The Interview", hated by Pyongyang. All of those hacks have been linked to North Korea, the New York Times reported.
Pyongyang is believed to have thousands of highly trained computer experts working for a cyberwarfare unit called Bureau 121, which is part of the General Bureau of Reconnaissance, an elite spy agency run by the military. "From an attribution point of view a ransomware would subscribe to the narrative of Lazarus Group, which is stealing money like we saw with multiple financial institutions with fraudulent SWIFT transactions - having a nation-state powered ransomware leveraging crypto currency would be a first". It seems unlikely North Korea would want to antagonise its strongest ally.
"It is similar to North Korea's backdoor malicious codes", said Simon Choi, who had worked many years as a senior researcher of North Korea's hacking capabilities.
How the WannaCry malware works.
"It appears less than $70,000 has been paid in ransom and we are not aware of any payments that have led to any data recovery", Tom Bossert, President Donald Trump's cybersecurity chief, told ABC News.
The attack has caused most damage in Russia, Taiwan, Ukraine and India, said Czech security firm Avast.
Second, North Korean cyber-attacks have typically been far more targeted, often with a political goal in mind. It is possible WannaCry was a hastily cobbled-together test of what the stolen NSA worm technology can do, possibly succeeding far beyond the hackers' imaginations because they thought more potential victims would have long ago patched the Microsoft Windows security vulnerability that allows WannaCry to spread so aggressively.
However, Kaspersky researchers are confident, based on other forensic details, that the WannaCry code analyzed by Neel Mehta is the precursor to the virus that attacked systems around the world on Friday.