From the article it sounds like the attackers' wallet id is hard-coded into the malware. I'm not familiar with monero, but aren't all transactions in cryptocurrency public and permanent?
Wouldn't it be obvious from following that who is ultimately benefiting from this?
I also don't think these criminals necessarily convert to fiat to aquire what they need/want.
Not with monero (and possibly other cryptocurrencies)
It would not, unless you could trace that address to a person.
There are coin tumbler services that supposedly "clean" the origin of whatever crypto you are using by exchanging it.
There's also Monero, which essentially has this feature baked in.
Cashing out anonymously can be difficult- localbitcoins allows you to basically conduct ad hoc exchanges of crypto with other people.