There is always speculation about the skill required and resources required to do this sort of malware. this isn't like Stuxnet where a massive amount of extra knowledge was needed such as Siemens SCADA stuff, and some pretty decent rootkit type knowledge. Also the targeting requires quite a bit of knowledge about the targets, plus motivation.
This malware however really just needs to run on a windows box. And the extra parts the "team" would need would be access to 0-days, or ability/time to discover them, a way to sell the kits to people without getting caught, or a way to create and use them themselves without getting caught, and finally a way to get really money back at the end, also without getting caught.
I don't think it is a huge team, maybe 3 -5 people at the creation part. Any more and it is in danger of the usual human bullshit where there is fallings out, ego clashes, a member slipping up... (If you have 2 people creating it, getting 2 more to help doubles the chance of a mistake). Also the more people, the more chance one of them has a girlfriend/boyfriend that cant be trusted, they brag or make stupid social media posts, they have some history where they weren't so careful come back and bite them in the ass (Silk Road, lol!).
Somehow they need exploits, and the people doing the crypto part, I wouldn't think would have a huge role in that.. it takes too much time. Plus it is obvious they monitor releases of patches and Vulns, and you cannot code properly when you are pre-occupied with the world. You need web devs, and these wouldn't be the exploit devs or the crypto people because they would HATE doing web dev if they are any type of decent coder. Someone has to organise the domains and do the uploading. You also need hackers to p0wn websites. These people would generally be the younger reckless ones I reckon that love to 0wn boxes and wouldn't be skilled in actual coding. Ad to all this the ones doing all the money side of it and you start to get a significant number of people involved.
I think these different parts of the crime would not be very organised and each component may change between people as some of the players get arrested for this or other crimes they are also doing, but I doubt it is one big team. I doubt many know each other in real life or are even in the same country.
Good to see recently two of the actual developers get thrown in federal PMITA.. one for 7 years and another for I think it was 12.