We still don’t know who was responsible for the WannaCry ransomware attacks last month, but more security agencies are pointing the finger of suspicion toward infamous North Korean hacking organization the Lazarus Group.

While WannaCry affected over 300,000 PCs in over 150 countries, the UK national health service was one of the earliest and hardest hit. An investigation led by Britain’s National Cyber Security Centre (NCSC) – part of the country’s GCHQ intelligence agency – reached the same conclusions as those presented by researchers from Symantec, Google, Kaspersky, and South Korea’s Hauri Labs: based on similarities in the WannaCry code and tools created by the hackers, the Lazarus Group was responsible for the ransomware.

The group, which was behind the 2014 Sony Pictures hack and the heist on a Bangladeshi bank last year, reportedly has links to the North Korean leadership, though the extent of the hermit nation’s role in WannaCry is unknown.

Pyongyang has called the alleged links “ridiculous,” but officials say there is little evidence that points toward alternative suspects.

While WannaCry quickly became a global epidemic, it seems the attackers did not expect it to spread as fast as it did. The wallets into which the ransom money was paid have seen no withdrawals, possibly because the risk of moving it is too high given the global attention the malware received.

In late May, web intelligence firm Flashpoint carried out a linguistic and cultural review of the WannaCry ransom notes. It concluded that perpetrators are somehow linked to China – the same country where the Lazurus group is said to operate out of.