One of the biggest mysteries of the ongoing global ransomware attack is who is behind it all. So far, WannaCry, the strain of malware, has infected 200,000 victims in roughly 150 countries, and it shows no sign of slowing down – with new variants almost inevitable.
The attack caught many unaware. The UK National Health Service, despite years being warned it was at risk, was widely disrupted as computers were forced offline by the worm – developed to take advantage of a Windows exploit linked to the US National Security Agency (NSA).
According to UK Home Secretary Amber Rudd, it is too early to tell who is behind the attacks.
"We're not able to tell you who's behind the attack. That work is still ongoing," she told the BBC, adding it was unclear if the incident was the work of a government.
Europol, the European Union's primary law enforcement agency, has said: "The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits."
Until there is solid proof (100% attribution of cyberattacks remains difficult), theories about who is behind the attack is largely based on previous ransomware trends. The motivation is likely financial. So far, the culprits have racked up over $40,000.
Theory One: Criminal hackers
The most prevalent theory is that the malware is the work of an organised criminal enterprise, using the ransomware to infect organisations for a lucrative paycheck. Their country of origin remains unclear, however, meaning the size and resources of the suspected gang is unknown.
"The attacks are likely coming from a well-organised cybercrime group," professor Giovanni Vigna, founder of security firm LastLine and director of the Centre for Cybersecurity at the University of California in Santa Barbara, told IBTimes UK in a statement via email.
He continued: "The fact that the malware seems to be made of components written by different people suggests a structured group that combines various capabilities.
"In the past, ransomware has been mostly carried out by Russian and Eastern European e-crime groups. Usually, these groups try to prevent Russian hosts from being infected. This seems not to be the case this time, as a number of Russian hosts were affected.
"However, this could be simply a mistake or a way to make things harder to track."
Graham Cluley, cybersecurity expert, blogger and commentator, said via Twitter message: "I think the most likely answer is organised criminals, just like any other ransomware attack. We don't know where in the world they might be."
Theory Two: State-sponsored Group
The strain of ransomware, also dubbed WannaCrypt, was designed with a particular security vulnerability in mind – a bug that was reportedly once used by state-sponsored hackers at The Equation Group, a team with alleged links to the US National Security Agency.
But could a state-sponsored group be directly responsible for the latest outbreak?
Some of the more nefarious nations – North Korea, for example – have been known to use cybercrime, hacking and large-scale banking heists as a source of income.
But in this case the returns were fairly low (thanks to the expertise of a 22-year-old researcher using the name MalwareTech).
In a broader sense, some critics blame intelligence agencies for keeping vulnerabilities a secret, saying malware will always find a way to infect the public.
In a strongly-worded statement, Microsoft slammed the NSA for losing control of software bugs. "An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen," it complained in the wake of WannaCry.
Theory Three: Script Kiddies
In April this year, a mysterious collective known as 'Shadow Brokers' released the stolen NSA tools into the wild. This meant the designers of the WannaCry ransomware knew exactly where the security gaps where located on unpatched computer systems.
While organised criminals remains the most popular working theory among the experts, it's not impossible that a group of unsophisticated hackers got lucky. On the dark web, for example, ransomware-as-a-service (RaaS) has been available to purchase for years.
Typically, script kiddies – as they are sometimes known – lack the ability to code their own malware, which is why they purchase it online. However, at the time of writing, there is no evidence to suggest this variant of WannaCry was bought in this manner.
For now, the investigation is ongoing.
The UK National Cyber Security Centre (NCSC) said in a statement on 14 May (Sunday): "Ransomware attacks are typically carried out by criminal groups however we cannot rule out anything while investigations are ongoing." GCHQ declined to comment.