Cybereason argued that North Korea was unlikely to have ordered the WannaCry campaign, challenging public attribution that relied on earlier government and industry claims without presenting new technical evidence. The analysis contrasts WannaCry’s broad, indiscriminate spread with DPRK cyber operations that it says historically used custom tooling, reconnaissance, destructive attacks, and financially motivated intrusions against specific strategic targets. It notes that Lazarus-linked tooling has included custom encryption, fake TLS-like traffic over port 443, self-destruct and file-deletion capabilities, RAT-led network access, host enumeration, and MBR erasers used in South Korean, Sony, and SWIFT-related attacks. The author also argues that WannaCry’s heavy impact on China and Russia and lower compromise rates in South Korea, Japan, and the United States did not fit Pyongyang’s usual targeting incentives. The piece matters as a cautionary attribution assessment because it accepts the seriousness of DPRK cyber activity while disputing whether the available evidence matched this specific ransomware event.