Days after the global cyber attack, UK police are trying to figure out whether it was an established network of criminals, state-backed hackers or bored teenagers that crippled the country's health service.
The malware campaign affected more than 200,000 computers in at least 150 countries, locking users out of systems at Chinese government agencies, Deutsche Bahn, automakers Nissan Motor and Renault, logistics giant FedEx, and hospitals around the world.
As security experts gain the upper hand in containing the infection, police have begun the hunt for its creators.
"The response is beyond anything I've seen before," said Steven Wilson, the head of Europol's EC3 cyber crime unit. "The picture is starting to emerge slowly. This could be something that is going to take us a considerable period of time."
Finding and locking up hackers may be the toughest job in law enforcement.
Criminals can use the darkweb -- the subterranean layer of the internet untouched by conventional search engines -- to disguise their activities, and make use of a complex online ecosystem of black market services that is global in nature. Suspects are often in Eastern Europe, Russia or other hard-to-reach jurisdictions for US or European police.
The UK and Russia were among the worst hit, making them the likely leaders in any investigation.
"We are absolutely focused in finding out who the criminals behind this attack are," said Lynne Owens, director general at the National Crime Agency, known as the UK's FBI.
"At this moment in time, we don't know whether it's a very sophisticated network or whether it's a number of individuals working together," Owens said in an interview posted on the agency's website.
Unlike being hacked by clicking on a malicious email or link, the "WannaCry" virus replicated itself, spreading for computer to computer automatically and demanding that computer users pay a ransom in bitcoin, an online currency that is extremely difficult to track.
"It takes a colossal amount of time, resource, knowledge, skill and effort to look through all the data and follow it through all the encrypted steps," said Brian Lord, a former director at the UK's signals intelligence agency, GCHQ.
Lord, now an executive at security firm PGI Cyber, said it takes "strategic patience" and that law enforcement agencies -- with all of their competing priorities and demands -- rarely had such qualities.
This time it may be different, given the widespread damage caused by WannaCry, according to Thomas Brown, a former assistant US attorney in New York who supervised a cyber crime unit.
The response is beyond anything I've seen before.
"The wealth of available evidence given the vast scope of the attack, as well as the fact that there will probably be very strong international cooperation in light of the huge number of affected countries (including Russia), indicate that the investigation will be extremely robust," he said.
The probe will likely feature a combination of high-tech evidence gathering and traditional gum shoe techniques, such as interviewing suspects and confidential sources, said Brown, a managing director at Berkeley Research Group.
An NCA spokeswoman said the agency would use its international liaison officers, based in 120 countries, to work with overseas forces.
Leading the NCA operation is Oliver Gower, a former civil servant who speaks fluent French and who has spend the past five years helping build a coordinated government response to cyber crime, according to his LinkedIn profile.
Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice.
"Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice," Gower said in a statement last week.
The NCA has made progress in dismantling the online systems that distribute viruses, and recently arrested suspected cyber money launderers. Unlike US authorities, it doesn't have a track record of extraditing overseas hackers or, in one instance, seizing them while on holiday in the Maldives. The NCA's cyber division is probably best known for an advertising campaign trying to dissuade teenagers from breaking computer laws.
The NCA can also call on the UK's new National Cyber Security Centre, a GCHQ division created last year to be the public face of the famously secretive data collection agency.
The NCSC coordinated the immediate response to the ransonware attack, its first major incident. Over the weekend, the centre made contact with some of the world's largest private cyber security companies, including Secureworks and FireEye, compiling information about the ransomware and how to contain it.
"This is the NCA's biggest challenge to date," said Alex Mendez, joint founder of Remora, a London-based computer security firm. The agency could potentially work together with other countries but in practice it can be hard to agree on operational actions due to the underlying political environment, he said.