It's unclear who is responsible for the global cyberattack that targeted around 300,000 machines in 150 countries. Businesses are still reeling from the fallout, and government agencies around the world are investigating.

Security researchers have documented similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea. The code similarities were discovered by Google researcher Neel Mehta on Monday. Google declined to comment.

The security firm Symantec also found links between Lazarus and WannaCry. It discovered early versions of WannaCry on systems that had been compromised by the Lazarus group's tools. These versions were different than the ransomware that spread on Friday. It is unclear whether the Lazarus group put the ransomware on those systems, or someone else did.

Kaspersky Lab, a security company, has also published the similarities. The Lazarus group was linked to the 2014 hack of Sony Pictures and attacks on banks around the world.

The latest observations are still a long way from determining whether North Korean hackers were behind the recent global cyberattack, but they demonstrate how researchers go about finding who is to blame. One way is to investigate the code and compare it to samples that known hackers have used in the past.

The WannaCry ransomware took computers hostage by encrypting their files and requiring payment to unlock them. It leveraged a Windows vulnerability leaked in a trove of hacking tools believed to belong to the NSA. The ransomware mostly affects businesses and large organizations that use a Windows tool that enables file-sharing.

Microsoft released a patch for the vulnerability in March.

Multiple government agencies are committed to tracking down the perpetrators.

Researchers are piecing together where WannaCry came from, and some insight into how hackers used the leaked Microsoft vulnerabilities could be found on the dark web.

The dark web is like a second layer of the internet beyond what average people use every day. It can only be accessed via the Tor browser, which gives users a cloak of anonymity and makes it impossible for anyone else to see their activity.

Cybersecurity firm CYR3CON collects information from dark web sites and uses it to understand cybersecurity threats. In mid-April, the firm identified a conversation on a popular Russian forum that discussed using the leaked NSA exploits to launch ransomware attacks against hospitals.

Though there were many dark web conversations around the tools after they were released in April, this specific thread talked about a ransomware attack strikingly similar to WannaCry.

It's impossible to know who posted it, and it is not evidence that people who participated in the thread were responsible. But law enforcement and researchers can use this information to see what future attacks might look like so companies and users can defend themselves against hacks.

BDST: 1715 HRS, MAY 16, 2017
AP