Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.
"This is the best clue we have seen to date as to the origins of WannaCry," Kaspersky Lab researcher Kurt Baumgartner told Reuters
“At this time, all we have is a temporal link,” Eric Chien, an investigator at Symantec, told the New York Times. “We want to see more coding similarities to give us more confidence.’’
American officials said Monday that they had also seen the same similarities, the newspaper reported.
Both firms said it was too early to tell whether North Korea was involved in the attacks, which crippled the NHS on Friday and became one of the fastest-spreading extortion campaigns on record.
The cyber companies' research will be closely followed by law enforcement agencies around the world, including Washington, where US President Donald Trump's homeland security adviser said on Monday that both foreign nations and cyber criminals were possible culprits.
The two companies said they needed to study the code more and asked for others to help with the analysis. Hackers do reuse code from other operations, so even copied lines fall well short of proof.
US and European security officials told Reuters it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
The Lazarus hackers, acting for impoverished North Korea, have been more brazen in pursuit of financial gain than others, and have been blamed for the theft of $81 million from a Bangladesh bank.
They were also blamed for the attacks on Sony Pictures Entertainment - in retaliation for the comedy film “The Interview” - and on Polish banks in February.
The North Korean mission to the United Nations was not immediately available for comment.
The perpetrators had raised less than $70,000 from users looking to regain access to their computers, according to Trump homeland security adviser Tom Bossert.
"We are not aware if payments have led to any data recovery," Mr Bossert said, adding that no federal government systems had been affected.
Some private sector cyber security experts said they were not sure if the motive of the attack was primarily to make money, noting that most large ransomware and other types of cyber extortion campaigns pull in millions of dollars of revenue.
"I believe that this was spread for the purpose of causing as much damage as possible," said Matthew Hickey, co-founder of British cyber consulting firm Hacker House.
The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.
The number of infections has fallen dramatically since Friday's peak when more than 9,000 computers were being hit per hour. Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.
Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.
Beyond the immediate need to shore up computer defenses, the attack has turned cyber security into a political topic in Europe and the United States, including discussion of the role national governments play.
In a blog post on Sunday, Microsoft Corp President Brad Smith confirmed what researchers already widely concluded: the attack made use of a hacking tool built by the US National Security Agency (NSA) that had leaked online in April.
He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
On Monday, Mr Bossert sought to distance the NSA from any blame.
"This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing emails, put it into embedded documents, and cause infection, encryption and locking," Mr Bossert said.
Russian President Vladimir Putin, noting the technology's link to the US spy service, said it should be "discussed immediately on a serious political level."
"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he said.