US and British investigators suggest the attack was launched by the hacking group Lazarus from within the borders of the hermit state, but admit it is not clear whether it was directed by the North Korean government itself.
The attack saw hackers bore into NHS systems and threaten to delete vital data unless ransoms were paid.
The investigation is being led by the British National Cyber Security Centre (NCSC).
A parallel US investigation being conducted by the National Security Agency (NSA) said investigators had “moderate confidence” that the attack originated in North Korea.
Although spokespeople for the NCSC told ITV journalists they could not confirm or deny their findings at this stage, private sector cyber specialists were more forthcoming with their conclusions.
Adrian Nish, the head of BAE Systems’s cyber threat intelligence team, said there are “overlaps” between the codes used to attack the NHS and earlier attacks by Lazarus.
“It seems to tie back to the same code-base and the same authors. The code-overlaps are significant.”
He compared the NHS attack to one on a Bangladeshi bank in 2016, in which the hackers extorted $81 million.
The cash was then laundered through casinos in the Philippines.
“It was one of the biggest bank heists of all time in physical space or in cyberspace,” Nish said, adding that similar activity had been seen at banks in Poland and Mexico.
The WannaCry software used in the attack penetrates and locks computer systems and demands a ransom in exchange for returning control to the owners.
The ransomware cyberattack that hit Britain’s National Health Service (NHS) in May likely originated in North Korea, investigators say.