The hunt is on for the cyber-attackers who struck last week and the first clues are emerging - but they are far from conclusive.
Investigators suspect the attack wasn't meant to extort money as most ransomware attacks do.
They say that's based on a preliminary investigation and stressed investigators are still following digital clues in the probe.
"The consequences of the attack in Russian Federation are too damaging, and the risk that sooner or later they will be tracked, found, and prosecuted is too high", Group-IB argues. Nothing, for instance, on the scale of Stuxnet (developed by the U.S. and Israel) which targeted Iran's nuclear programme and took years of development.
But it is possible the code was simply copied from the Lazarus malware without any other direct connection.
Analysts fear North Korea are developing an ICBM that is capable of reaching U.S. shores.
Malware researcher Paul Burbage of Flashpoint, a business risk intelligence company, tells NPR's Martin Kaste that so far, he hasn't seen a solid connection between the ransomware and North Korea.
While experts are not willing to vouch for North Korean involvement, they point to a possible North Korea link to the "WannaCry" malware attack.
"We are not aware of payments that have led to any data recovery", White House Homeland Security adviser Tom Bossert said at a daily briefing on Monday. No-one is pretending this is the smoking gun.
Circumstantial evidence suggests North Korea may have been behind the global ransomware attack, according to cybersecurity experts.
Choi also cited an accidental communication he had past year with a hacker traced to a North Korean internet address who admitted development of ransomware.
WannaCry borrows code from attacks orchestrated by the Lazarus Group, a shadowy hacker collective believed to be responsible for the Sony Pictures Entertainment hack in 2014, the Bangladesh central bank hack in 2016 and the Polish bank hacks in February.
The use of ransomware would be a departure for Pyongyang, although it is the one state which is thought to have used cyber-attacks for financial purposes.
HAGATNA, Guam (AP) - While most of the United States is still out of reach of a missile launched by North Korea, the USA territory of Guam, a key military hub in the Pacific, could be within range.
Haley said the global community wants to be able to support North Korea, but as long as it continues trying to grow its nuclear program with missile tests, North Korea would remain an "island".
Security researchers are exploring the theory that the WannaCrypt ransomware might be the work of an infamous North Korean government-backed hacking crew.
Speaking to reporters ahead of a closed-door meeting of the 15-member U.N. Security Council on the missile launch, Haley made clear that Washington would only talk to North Korea once it halted its nuclear program.
These similarities might be a deliberate attempt at deception aimed at throwing suspicion onto innocent patsies and away from the real perps (i.e. a false flag operation).
It may take time for any evidence to emerge.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said USA investigators are collecting forensic information-such as internet addresses, samples of malware or information the culprits might have inadvertently left on computers-that could be matched with the handiwork of known hackers.
"We're looking at our victims' profiles, we're still seeing a lot of victims in the Asia-Pacific region".