Kaspersky reported that a February 2017 WannaCry cryptor sample shared code with a February 2015 Lazarus APT backdoor sample highlighted by Neel Mehta. The researchers treated the finding as a significant clue about WannaCry’s origins, while noting that more research into older variants was needed and that false-flag reuse was theoretically possible but considered improbable. The excerpt connects the early WannaCry sample to the May 2017 encryptor through shared targeted file-extension lists, with later versions adding more extensions and changing some targets. The body also places Lazarus in the context of prior operations including Sony Pictures, the Bangladesh Bank heist, and DarkSeoul, and provides a YARA rule based on the shared-code finding.