The Lazarus hackers, which work under impoverished North Korea, have been known to pursue financial extortion more than others, and have been blamed some cyber security firms for the theft of $81 million from the Bangladesh central bank.
Labelling Mehta's revelation "the most significant clue to date regarding the origins of WannaCry", Kaspersky researches at the same time acknowledged that the apparent use by the WannaCry attackers of the similar code is not enough to come to definitive conclusions about its origin, as there is a possibility of it being a false flag operation and more worldwide effort is necessary to unearth its roots. Saying that it had discovered a code used in the malware that "historically was unique to Lazarus tools", the company refused to speculate on North Korea's role in the attack. Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped nearly a terabyte's worth of data from Sony Pictures in 2014, and siphoned nearly $1 billion from the Bangladesh Central Bank previous year by compromising the SWIFT network used to transfer funds.
The hackers appeared to have taken control of computers and servers around the world by sending a type of malicious code known as a worm to file-sharing protocols.
The initial ransom demand was $300 per machine. Infected hospitals soon responded by turning away patients and rerouting ambulances. The cases were more contained, however, than the systemic outbreak that last week paralyzed computers running factories, banks, government agencies and transport systems around the world. WCry's creators may have deliberately added code found in Cantopee in an attempt to trick researchers into mistakenly believing Lazarus Group is behind the ransomware.
"For now, more research is required into older versions of Wannacry".
Kaspersky Lab, a Russian cybersecurity firm, also pointed to similar links, writing, "We believe this might hold the key to solve some of the mysteries around this attack".
"One thing is for sure - Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry". It is unclear whether the Lazarus Group put the ransomware on those systems, or someone else did. It first came to light in a report published in February by security firm Novetta.
A hacking group called Shadow Brokers released the malware in April, claiming to have discovered the flaw from the NSA.
North Korea usually gets the blame for this kind of caper, but it usually gets it earlier than this.
Other researchers agreed that the shared code between WCry and Cantopee was important.More news: More disruptions feared from cyber attack
Choi, known to have vast troves of data on Pyongyang's hacking activities, has publicly warned against potential ransomware attacks by the North since past year. Such "killswitches" are highly unusual for malware developed by financially motivated criminal groups.
The hackers responsible have not received much in return for their efforts.
According to Amanda Rousseau, malware researcher at security firm Endgame, it's hard to catch cybercriminals. "Killswitches in malware are rare, and I can only think of government malware with those built in".
The Japan Computer Emergency Response Team Coordination Center, a nonprofit providing support for computer attacks, said 2,000 computers at 600 locations in Japan were reported affected so far.
"We are talking about a possibility, not that this was done by North Korea", Choi said.
The global WannaCry "ransomware" cyber attack slowed yesterday, with no major infections reported, as global law enforcement agencies shifted their attention to finding the hackers who unleashed it.
A North Korean origin might also explain why the malware was fraught with other unusual behaviour, including the failure to secure the domain name that triggers the killswitch.
Finally, if the plan was simply to make money, it's been pretty unsuccessful on that front too - only around United States dollars 60,000 has been paid in ransoms, according to analysis of Bitcoin accounts being used by the criminals.
Both of the virus software companies said it was excessively quick to tell whether in these actions North Korea was convoluted.