The ransomware epidemic known as Wanna Cry (or Wanna Crypt) continued its march around the globe on Monday. The sinister extortion scheme—in which victims must pay to recover precious data—has already hit hundreds of thousands of computers at companies, schools, and hospitals.
And security experts warn this is far from over.
While the priority right now is to secure our computer systems, the crisis has also led to finger-pointing over who bears responsibility. So far, at least five groups have come under scrutiny. Here’s a list of possible culprits and what people are saying:
1. Microsoft
The ransomware epidemic is spreading because there are vulnerabilities in the Microsoft (MSFT) operating systems that are installed in millions of computers around the world. The flaws in the company’s codes are what make it possible to carry out the attacks in the first place.
Microsoft has responded by blaming secret government hacking programs that discover these flaws, and repeated its call for a “digital Geneva convention” to stop the spread of cyber-weapons.
Not everyone is ready, however, to join Microsoft in shifting blame to the government. Security experts say the company has failed to do enough to create patches for older versions of its operating system, which are still in widespread use—especially at hospitals and public sector organizations. In this view, Microsoft knew that all that old software was a ticking time bomb, but failed to make fixing it much of a priority.
Get Data Sheet, Fortune’s technology newsletter.
2. Hospitals and Companies That Were Hit
Most people frown upon the practice of blaming the victims of cybersecurity attack. After all, many lack the resources to keep systems up to data and, in any case, shaming is probably not the best way to improve security in the future.
But not everyone has been so forgiving in the wake of the ransomware attacks. Some people are pointing out that updating software (which would have prevented the ransomware attacks) is a basic part of running computers these days.
“Particularly for organisations with professionally managed desktop environments, there is no “oh, we didn’t realise” or other cop out excuses here, someone screwed up big time,” said noted security researcher Troy Hunt in a definitive account of the attacks. Meanwhile, other experts observe that no one gets a pass on security just because it involves computers:
Not "victim blaming" the UK NHS for failure to patch is like not "victim blaming" an airline for failing to maintain aircraft after a crash
— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) May 14, 2017
3. The NSA
Some see the National Security Agency as the primary culprit here because it was the U.S. spy agency that found and exploited the Microsoft flaws in the first place. Someone then stole the NSA’s techniques and published them on the Internet, where they were then used to create the current ransomware epidemic.
“Malware created by intelligence agencies can backfire on its creators,” noted Russian President Vladimir Putin, who blamed the U.S. government after his own country was badly hit by the WannaCry ransomware attacks. Such scolding also came from the NSA’s most famous critic, the former contractor Edward Snowden:
.@NSAGov's choices risked permitting low-skill criminals launch government-scale attacks, and then it happened. There's no waving that away. https://t.co/YSbbonoSDj
— Edward Snowden (@Snowden) May 13, 2017
4. Cybersecurity Companies
Cybersecurity is a booming business with dozens of giant companies selling “solutions” that promise to shield organizations—like so many of the victims of the current ransomware epidemic—stay safe from attacks. These companies include the likes of Sophos, whose marketing materials boasted that it protected the U.K.’s National Health Service, which suffered terrible attacks on Friday:
Remember: pic.twitter.com/iuDX8wCLkU
— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) May 14, 2017
The Sophos image is real. I confirmed it. They have scrubbed it from their website today, but it still exists in Google cache pic.twitter.com/VJ0nTHcdxo
— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) May 14, 2017
The problem, however, may be much broader than just Sophos. Critics of the cybersecurity industry say many companies rely on scare tactics and slick marketing to sell products that fail to actually protect their clients, and convey a false sense of computers.
https://twitter.com/hrbrmstr/status/864100847155859456
Such criticism may do little, though, to stop the gravy train that is the cybersecurity industry right now. On Monday morning, stocks in the sector were up across the board—and those of Sophos were up 7%!
5. The Bad Guys
While there’s lots of blame to go around—and everyone above deserves at least some of it—no one should forget that the people most responsible are the criminals who methodically launched the ransomware scheme. They are the ones who froze thousands of computers, including ones at hospitals and police departments, and put lives at risk for money.
For now, we don’t know who they are. But in the next year or two, don’t be surprised if a global law enforcement brings them to justice.
