For cyber criminals to enjoy the rewards of their enterprise, it is important they remain unidentified by law enforcement agencies. Therefore, they will want to make sure no attribution is possible and no tracking of the ransom is possible.

Attribution is usually done based on either a mistake in the operational aspects of a campaign, or by studying the TTPs of a campaign and associating them with previously conducted attacks showing similar TTPs.

Mistakes in operations will always be there, if not in an initial attack then in subsequent ones. One hacker was identified and arrested because he happened to connect to an Apple Store with the same phone he had used minutes earlier to check on a server he had used for command and control.

But one thing that is in the control of the hackers is the way the malware is built. Just like open source software is built on top of open source libraries, cyber criminals will rely more and more on reusable components that will be marketed in underground forums and that will spur the development of a lot of pieces of malware that are hard to trace back to any particular lineage. If 100 libraries are used to create 500 malware, it is hard to attribute any malware to a particular group based on code analysis.