My guess is this is why we're seeing multiple bitcoin addresses:
The original authors first released it with their own bitcoin address. It then spreads p2p around the world wherever it can to front-facing PCs.
Then 3rd-party spearfishers are sending it to corporate networks with their own bitcoin address so they can get the credit for getting past/through firewalls.
If the payment goes to them instead of the original authors, how could the new hijackers of the virus offer to decrypt the data? I'd assume only the original authors have access to the private keys needed for that.
If someone was really clever they could change the Tor addresses it talks to for command & control and write their own complete replacement backend, but at that point it seems like you'd be looking at people capable enough to just write their own malware from scratch anyway...
It could be one back-end, with the malware authors paying a cut to the spearfishers. The spearfishers could monitor the bitcoin address to ensure they get the right cut.
Some level of trust would be involved.
I think the spearfishing industry and the malware writing industry aren't one and the same. The former is the marketing department, the latter is the tech department.
The original authors first released it with their own bitcoin address. It then spreads p2p around the world wherever it can to front-facing PCs.
Then 3rd-party spearfishers are sending it to corporate networks with their own bitcoin address so they can get the credit for getting past/through firewalls.