Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
“There a several signs that suggest the authors of the first observed instance of WannaCry are not amateurs and that the kill switch was likely not inadvertent. Primarily among them is the absence of the practice of using auto-generated-round-robin-domains for this type of C2 (command & control) activity. But even further pointing to this new variant not being attributable to the original authors is that the new variant is a patched version of the old malware not a recompiled version. This is a key distinction in that whoever removed the kill switch did not have access to the source code.
“Speculation about North Korea somehow being involved will be hard to prove even circumstantially. Bureau 121 and No. 91 Office, the two North Korean cyberwarfare agencies that are known to engage in this type of behavior tend to reuse portions of their code, which has allowed us to at least speculate their involvement. In this case, much of the code was stolen from the NSA making it harder to trace the origins of Wannacry. What do definitively know however, is that a manual human operator must activate decryption from the Tor C2, which means it is unlikely that the perpetrators ever intended to unlock victims files.”