It basically comes to it looking like Lazarus Group
The WannaCry attacks used the same command-and-control server used in the North Korean hack of Sony Pictures Entertainment in 2014, which wiped out nearly half of the company’s personal computers and servers.
...
Other digital crumbs linking the North Korean group to WannaCry include a tool that deletes data that had been used in other Lazarus attacks. The hackers behind WannaCry also used a rare encryption method and an equally unusual technique to cover their tracks.
Security researchers matched parts of the WannaCry code to previous viruses that were thought to originate from NK. Of course they also said anyone could of copied and pasted the code and just made it look like that, but the media ignored that part.
> The haystack needle Mehta presented Monday now connects Lazarus to WCry, although the tie connecting the two isn't precisely clear just yet. WCry's creators may have deliberately added code found in Cantopee in an attempt to trick researchers into mistakenly believing Lazarus Group is behind the ransomware. Researchers at antivirus provider Kaspersky Lab said such a "false flag" is plausible but improbable. The Cantopee code snippet, the researchers explained, was removed from later versions of WCry, making it hard to spot and hence ill-suited to act as a decoy.
> [...]
> Grooten went on to say, "BTW, 'North Korea' may well be a foreign hacker group paid by them."
Is there any evidence for this? Looks like another fake rumor.